The latest Sophos Threat Report shows an upward trend in spam and identity theft through social networks. One of the examples Sophos gives is Facebook. In general Sophos claims that from 2009 to 2010 the spam, phishing and malware containing messages all doubled. Sophos explains the figures on her website thus:
” * 40% of social networking users quizzed have been sent malware such as worms via social networking sites, a 90% increase since April 2009
* Two thirds (67%) say they have been spammed via social networking sites, more than double the proportion less than two years ago
* 43% have been on the receiving end of phishing attacks, more than double the figure since April 2009.”
This makes the trend quite clear. I wonder if these figures were a part of the sharp drop in spam figures that was reported recently. (See elsewhere on this blog).
OPTA and social network spam
This is not something entirely new as OPTA has already fined a Dutch spammer for spamming on the Dutch social network site Hives. This private person sent 3.2 million unsolicited messages to Hives members. OPTA stated that this is another form of unsolicited electronic messages and stopped the spammers activities. Whether this was a world first, I can not say for sure, but I haven’t heard of another example.
Spam and this blog
Almost on a daily basis the spam filter of my blog catches a reply to an article saying “cool”, “where can I subscribe”, “keep up the good work” and all from very complex looking e-mail addresses at g-mail or hotmail. The good news is that WordPress has a functioning spam filter.
So Sophos’ news may not be real news for us users of social network or blog sites. The success of social network sites means just another opportunity for the bad guys and another security hole to plug for technicians. Have you ever wondered what all these thousands of people click on when someone asks them whether LinkedIn really works? Click like if you read this?! They click on a daily basis by the thousands because an unknown somewhere in the world asks them to do so. Naivety? Good faith? Plain stupid? Or a sound investigation of the possibilities of LinkedIn? I personally have chosen never to click on these sorts of “like” requests. My advice to you is to not do so either.
Responsibility and social network sites
However, the owners of the social network or blog site have to recognize two things:
1. that they have a serious problem on their hands;
2. that they have a responsibility for the on-line safety of their customers.
Offering a service for free, should not release them from responsibilities. It’s not as if they do not intend to make money of their customers(‘ data). The service needs to be trustworthy as real life harm can come from phishing and identity theft and more so if the cyber criminals and spammers can use the service unhindered. On the other hand if Facebook remains structurally unsafe, people will eventually move elsewhere, I suppose, to another social website that does offer a better level of security. Awareness starts with signalling a problem and that is what the Sophos report offers to those who want to listen. For anti-spam authorities there is work for years!
Wout de Natris
Leiderdorp, 20 January 2011