Have you ever been tagged by fellow Facebook users for photos that don't actually include you, but are of products of dubious origin? Have you been invited to install an application, but find your account spamming everyone in your contact list afterward? Have you fallen for tricky login boxes that gain access to your password and email inbox? Welcome to the world of social network spam. You are not alone, as Symantec (news, site) reports that social network spam and malware attacks are on the rise.
Spam, Rinse, Repeat
Symantec released a report that details trends in how social network spam and malware work. Spammers and malicious hackers have become more sophisticated in doing their social engineering attacks, but there seems to be a cycle in how social engineering attacks are done. Symantec says you will see spam and attacks surge to a rise on a certain network, drastically fall, and then move on to another network. The average life of spam is 15 to 20 days, and you can sometimes see the trend cycling through Facebook, Twitter and YouTube, among other social media sites.
Symantec says social network spam is cyclical in nature.
Most of these errant messages are from automated botnets, and proliferate through successful victims. This means when gullible folks click on the link, the app will spread itself like the plague to people on one's contact list.
Symantec says spammy messages do their job through several means. First, there's the use of templates similar to legitimate notifications from social network sites. You might be asked to confirm your login after a supposed "idle period." Second, there is "clickjacking," in which a legitimate-looking link will be hijacked by an overlay that leads to a malicious site. Third, there's cross-site scripting, in which scripts incorporated into the URL structure result in unauthorized injection of code to a website's back-end.
Successful spam exploits might seem like opening the proverbial can of worms (or spam?) in that once you are victimized, your account spreads the message. One or two gullible friends down the line might also click, which perpetuates the cycle.
Spammy messages can spoof the real website and send your credentials to malware authors.
What Can We Do?
Various web apps and social networks implement different ways to improve their security. For instance, Google is implementing an optional two-step login, in which users will have to key in a verification code received via SMS, on top of the password. Facebook is asking users to authorize machines that gain access to their accounts, among other security measures. But security goes beyond the tools that websites and apps give you. Social engineering attacks rely on actions to deliver their payload and proliferate. Here's how you can help stop spam.
- Watch where you login. A lot of malicious sites spoof login pages and password boxes. Make sure to check the URL when you're logging in. When in doubt, type the URL manually on your browser's address bar. Even so, check that it exactly matches the web app you're accessing. It's easy enough to make a URL look like the legitimate one with the right combination of subdomains.
- Watch where you click. It's easy for spammers to spoof legitimate websites or the messages they display. Don't just blindly click on a link just because it gives you an error warning. Check the target URL through your status bar.
- Protect your profile. If your Facebook wall is open for anyone to post, this means spammers can send you messages. It doesn't help that your friends are also potential targets, as they can see these spammy messages. Keeping your public profile and social network Wall limited will help minimize spam.
These are only a few tips, but any advice will center on being cautious and sure about what you're doing online, whether it's clicking a link, sharing a URL or entering your password. After all, it's your reputation at stake. Spreading spam to your friends is certainly embarrassing. It's worse if spam shared with your co-workers causes a productivity decline.