NEWS FROM THE LAB - Wednesday, December 22, 2010

Social Spam Q&A Posted by Sean @ 16:35 GMT

Q: What is "social spam"?
A: Social spam is spam that uses social networking, media and news related websites to spread links.

Q: Links? You mean stuff like those links I see on Facebook saying something like "OMG! Father catches his daughter on webcam"?
A: Yes. Those links.

Q: And just how does spreading salacious links payoff for the social spammer?
A: First, let's discuss how e-mail spam works.

Q: Well… alright then, what about e-mail spam?
A: E-mail spam is similar to real world junk/bulk mail, the stuff that clogs up your mailbox at home. A product owner wants promotion, so he hires somebody to distribute advertising. The bulk mailer (spammer) offers prices/rates based on the number of ads to be distributed.

Q: Sounds rather straightforward. So how does an e-mail spammer get paid?
A: Could be a number of ways, but generally, you'll pay upfront for X amount of messages distributed. E-mail spammers compete with one another by attempting to offer better services. They also try to guarantee that their address lists are validated (live) accounts and thus a better quality than the other guys.

Q: So e-mail spam is a traditional product owner to advertiser relationship?
A: Right. The product owner wants advertising, so he pays an advertiser. The ad (spam) is sent to your Inbox and your antispam software filters the spam to a junk folder.

Q: Let's get back to social spam. How does spamming a link payoff for the spammer? There's no "advertising message" embedded in the link… it's just some tabloid style headline. Does the link open to an ad page?
A: No. (That's comment spam.) The social spam link is only the first step in the social spam process. And the greater the number of links spread, the greater the potential payoff for the spammer.

Q: What's the second step in the process?
A: Spreading the spam link.

Q: And how is that done?
A: By abusing the "social" nature of the website. So on Facebook for example, if you click a spam link, you'll be directed to a page that wants you to either like or allow.

Q: Like or allow?
A: Right. If the link takes you to a Facebook application (hosted by facebook.com) you'll have to allow the application access to your profile. If you do, the application will post its link to your profile, and thus share it with your friends.

Q: If it isn't an application?
A: If the link takes you to a "Page" (either on or offsite) you'll be requested to "Like" and "Share" the page to your profile. Spammers will use a various tricks to get you to like and share.

Q: What kind of tricks?
A: Clear click clickjacking attacks. Pages attempt to use invisible frames to get people to click on a "like button" without even realizing it.

Q: So liking and sharing the page spreads the links… you do the spammers work for them?
A: Right.

Q: But if it is an application instead of a page, you have to allow it access?
A: Correct. And Facebook does provide a clear warning beforehand.

Q: How about other websites?
A: Twitter applications also warn the user before they add an application. Twitter switched to OAuth at the end of August 2010 so that your password is no longer shared with third party applications.

Q: So applications can be controlled and/or limited, but external pages that mimic the social site, can they be prevented?
A: That's a challenge. Social sites are designed to share. That's why they're social. Far greater amounts of legitimate pages are liked/shared and tweeted every day. The only way to really prevent a spam page from being shared is to block all sharing or of course, to remove the page from the site.

Q: So what is done?
A: Filtering. Social sites rely on their communities to report spam. Both Twitter and Facebook have "report as spam" options. And they have antispam technologies on the back-end.

Q: Step 2 is spreading… why does that process sound kind of familiar?
A: Because it is similar to an e-mail worm.

Q: What? An e-mail worm?
A: Yeah. E-mail spam includes its advertising in the body of the message or in an attachment. E-mail worms are a bit different. They used to attach a binary payload to a message, but antivirus companies long ago learned to filter such attachments.

Q: And?
A: And so these days, because malicious attachments are filtered, e-mail worms use links as bait. Recipients click on the link within the message and are taken to a webpage offering a malicious payload. And part of that payload's mission may include stealing your e-mail contacts so they'll be exposed to the threat as well.

Q: So social spammers didn't invent this process?
A: No, far from it. This whole process of link baiting has evolved from e-mail.

Q: So social spam is spread via "link worms"?
A: Yeah, that's kind of the general idea…

Q: Okay. Step 1 and 2 spreads like an e-mail worm, but the goal is more similar to e-mail spam. What's step 3? Do you get to see the father/daughter webcam video?
A: That depends on whether step 2 was an application or a page (still using Facebook as our example).

Q: What if step 2 allowed an application?
A: Then spam application often provides the video (or whatever else) in return for harvesting your information.

Q: What kind of information?
A: That depends on what you allowed. It could be anything from basic public details to allowing the application to e-mail you, to managing your Facebook Pages. (Twitter applications will cause your account to follow others and to re-tweet their links.)

Q: Then what?
A: And then the social spammer has information that can be turned into a commodity for sale. Remember up above…

Q: That e-mail spammers compete with each other by offering better services and validated lists?
A: Right. What better way to create a validated list than a social networking site such as Facebook? Not only will you have live e-mail addresses, but the associated age, sex, gender, likes and interests. After all, there's very little point in sending Viagra spam to a 25 year old woman…

Q: That's sounds like an excellent commodity. What else can be done with the information?
A: Worst case scenario: it could be used for identity theft or blackmail.

Q: Is that likely?
A: It's possible, but probably not likely. From what we've read in spammer forums, these guys are more about making a quick buck pushing ads.

Q: Okay, so back to step 2 again… What if step 2 was a page, then what?
A: This part is a bit complicated.

Q: It is?
A: Yes. If the social spam links to a page, the page is typically utilizing some sort of Cost Per Action affiliate marketing network.

Q: What is a Cost Per Action affiliate marketing network?
A: First, let's discuss affiliate marketing… This is from Wikipedia's entry: Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts.

Q: So affiliates don't get paid upfront to advertise?
A: Right. Affiliates aren't selling bulk advertising. But instead, they're driving traffic towards the product owner. And the more traffic that they can drive towards the product, the more they can earn. Product owners like this method of marketing as they don't have to commit to funds upfront before results are produced.

Q: And affiliate marketing models are used by spammers?
A: Yes. Unfortunately, affiliate marketing is easily abused by spammers.

Q: So why is it legal?
A: Because there are many legitimate ways to run affiliate marketing. Let's take Groupon (groupon.com) as an example. If a certain number of people sign up for a Groupon offer, the deal becomes available to all; if the predetermined minimum is not met, then no one gets the deal that day. Groupon users are acting as a kind of affiliate. If they do the marketing work and share the offer among their peers, and enough people sign up, the company authorizes the deal.

Q: So it is quite difficult to legislate good from bad affiliate marketing?
A: Yes.

Q: Okay, so social spammers utilize a form of affiliate marketing. What are Cost Per Action affiliate networks?
A: An affiliate marketing network is kind of like a "super affiliate". Affiliate marketers earn a progressive percentage of payout based on the volume of leads produced. One individual typically cannot produce enough volume to reach a higher percentage tier. Affiliate marketing networks allow individuals to act as a collective affiliate, producing higher volumes, which passes the higher payouts down to the network members.

Q: And Cost Per Action (CPA)?
A: CPA is typically about acquiring something from potential leads.

Q: So what happens during step 3 after a page is liked and shared?
A: The spammer promises to show the video (or whatever) after a small "anti-bot" test (action) has been performed. They claim it is a form of CAPTCHA, or verification that you�re human.

Q: And this is when the spammer gets what he wants?
A: Yes. At this point a JavaScript form opens and "special offers" are given to proof that the person is human.

Q: What kind of special offers?
A: It could be something as simple as downloading a search toolbar for your browser or providing a valid e-mail address to receive a coupon. Or… it might be something as manipulative as getting you to sign up for expensive SMS-based subscription services.

Q: And is this when the spammer makes money?
A: Yes. For each person that completes an action, and offers the product owner a "lead", the affiliate/spammer can earn one dollar or more.

Q: One dollar or more? That's good money.
A: Yes. It takes very little effort to earn good money.

Q: So is all of this considered a scam?
A: Scam is a rather strong word.

Q: But there are some security vendors that call this stuff a scam. You don't think so?
A: Scam is a strong word to use… A scam is something such as an Advance Fee Fraud, i.e. "You have just won the UK lottery! Contact LottoUK at blah blah blah dot com."

Q: So what is this CPA spam stuff then?
A: It falls under the category of deceptive marketing.

Q: So why do some folks keep blogging about Facebook Scams? Is it hype?
A: You'll have to ask them.

Q: Well then, if it is deceptive marketing… what can be done about it?
A: Government regulators should get involved. Example: In Finland, a case of localized (Finnish language) Facebook spam was resolved by the Finnish Consumer Protection Agency. F-Secure provided details to the press, and either the press, and/or victims reported the SMS subscription vendor as being deceptive. The local company which provided the billing services for the SMS vendor reversed all charges associated with that spam run. (There hasn't been a second attempt.)

Q: What about the United States? Is there a way to fight deceptive affiliate marketing spam in the United States?
A: It's been done before. In 2006, Zango, an adware vendor (Hotbar) faced an FTC investigation that essentially put them out of business. A public advocacy group filed two official complaints charging Zango with engaging in unfair and deceptive business practices.

Q: So who are the companies that the FTC should probably look at in 2011?
A: The list includes CPAlead (cpalead.com), PeerFly (peerfly.com), and Adscend Media (adscendmedia.com) among others.

Q: What about the recent lawsuits that Facebook brought against three spammers.
A: Actually, one of those three lawsuits is focused on Jason Swan, the CTO of CPAlead. The CAN-SPAM act is being cited in the lawsuits and all three examples include cases in which fake or fraudulent services were offered. "Facebook Gold" accounts for example. There are no such thing, and so Facebook claims the defendants are guilty under the CAN-SPAM.

Q: But doesn't most social spam eventually open the promised video (or whatever)?
A: Yes. It's mostly just recycled content from YouTube but if all 3 steps are completed, the links delivers on its promise. So these three cases are interesting, but it seems more like a warning to spammers than a solution. We aren't sure if the CAN-SPAM act applies (but it's worth bringing before a judge).

Q: So summarize it again, what are the steps involved with social spam?
A: First the victim clicks on a link. Second, they like/share or allow the application or page. Third, they complete the Cost Per Action offer. And then they are "rewarded" with old content that they could have located on YouTube (or elsewhere) themselves.

Q: How effective is social spam.
A: Very good question. In 2009, social spam was generated by hacked/phished accounts. During 2010, other methods were developed by spammers to seed spam links. By the summer of 2010, spam links were generating hundreds of thousands of clicks.

Q: Do social spam links still get clicked?
A: Click rates have dropped as people become familiar with the process. There is an ever increasing decline in the effectiveness of any single link. However, the click rates and payouts are considerably higher for social spammers than e-mail spam.

Q: Will social spam ever be as big a problem as e-mail spam?
A: E-mail spam does not require interaction. Spammers can simply pump as much of it as possible in their attempts to bypass spam filters.

Social spam typically requires human interaction (except for occasional site vulnerabilities). Because social spam is interactive, there is something that can be done. Facebook and Twitter are constantly redesigning their UI to improve the user experience and to help their communities recognize and avoid spam. And because social media sites are constantly evolving, the nature of social spam is also evolving.

Social spam will probably always exist, taking advantage of one site feature or another, but it isn't as likely to abuse the system so completely as e-mail spam has. The only way to fix e-mail spam is to fix e-mail protocols. Facebook and Twitter spam can be addressed by the sites as needed.

Q: Finally, are there other types of spam being pushed via social media sites?
A: Yes. Fake profile spam pushing adult dating sites and services… but that's another Q&A. We'll get back to that once we're done sorting through all the images (somebody's got to do it).