To send messages to large numbers of people, Petre says, spammers often trick users into joining groups and befriending fake profiles. For example, in the aftermath of the Haitian earthquake, fraudsters started a group on Facebook that claimed the social networking company would donate money to relief efforts for each user who joined. The group collected nearly two million members in the five days before Facebook discovered the activity and suspended the group. While active, Petre says, the group was used to send spam messages to the group’s members.
Spammers can also blast messages to users who have accepted friend requests from them. Petre found that scammers use social games to make contacts with legitimate users. In many of these games, such as Farmville, users get ahead by having friends on the network who play the same game. As a result, there are lots of groups on Facebook devoted to helping users connect with others players. This provides a way for spammers to find users to connect with.
Once connected, spammers can also do more than just send spam messages. They can gather data on users, and those users’ contacts, to create more targeted fraudulent messages. Scammers also post links to profiles that aim to entice users to view advertising or visit compromised phishing or malware websites. While spammers could, in theory, use scripts to harvest e-mail addresses from other users’ profiles, Facebook has implemented several protections that make this difficult to do without getting caught and suspended.
“Social networking spam may be more dangerous than regular old spam because it creates a trust factor not available through blindly sending out mass e-mail,” says Garth Bruen, creator of software called Knujon, which classifies and tracks spam. By mining social networks, he says, criminals can get access to personal details such as where a person lives, where they go out to drink, or what movies they like. “It is very good intel for establishing trust with strangers,” he says. Though Bruen notes that working within a social network costs spammers more resources than traditional methods, he believes the payout could be much bigger.
Kathy Liszka, a professor of computer science at the University of Akron and the chair of the MIT Spam Conference, says that fighting spam is no longer just about mathematics and statistics. Spam and malware companies today are actively recruiting people with backgrounds in psychology, she says, and Petre’s work shows that social networks provide fertile ground for spammers to try more sophisticated forms of manipulation. Liszka says, “If we don’t get up on the psychology aspect, we’re going to start losing ground again.”