As users have flocked to social networks, so, inevitably, have spammers. And according to a recent experiment, users are much more receptive to spam sent via a social network than over e-mail.
A group led by George Petre at BitDefender, an antivirus software company based in Bucharest, Romania, performed an experiment to test the effectiveness of spamming techniques geared toward a social networking site. They found it surprisingly easy to entice Facebook users to “friend” people they didn’t know; they also found that many users were willing to click on links without knowing who sent them or where they led.
Speaking last week at the MIT Spam Conference in Cambridge, MA, Petre described how spammers exploit social networks via messaging systems by enticing users to click on links, and by gathering personal information to target mail-outs.
Most social networks have internal messaging systems for communication between members. Petre’s group examined that of Facebook, which boasts 5 percent of the world’s population as its users. While Facebook has an antispam engine, the group found that it was better at filtering out phishing e-mails than preventing spam messages from getting through.
The group started by creating fake profiles to trick users into friending them. They created three profiles, one containing almost no information about the user, one with some information, and one with detailed information. They used those profiles to join popular groups and began sending out friend requests.
Within 24 hours, 85 users had accepted a request from the first profile, 108 from the second, and 111 from the third. Petre says that acceptances began to accelerate, since more than 50 percent of the time, users would accept the request if they shared a “mutual friend” with the fake profile. In some cases, he says, users would send a message asking for more information about how they knew this supposed new friend. The researchers didn’t respond to these requests, but in many cases, Petre says, users accepted the request anyway.
The researchers then posted a link without any explanation to the fake profiles’ walls, using a URL shortener to obscure where the link went. Almost 25 percent of the profiles’ “friends” visited the link, Petre says.