Websense.com / Security Labs / Blogs / An Open Book

Blog

An Open Book

07.09.2007 - 7:39 AM
Nine months ago, Facebook announced that the site was no longer the exclusive domain of those elite with a verified ".edu" address. It did not take long for a number of grim predictions to form regarding the future of Facebook. A significant number of existing users met the announcement with an outcry over the impending demise of their Facebookian utopia. One of the common points for many of the predictions was that Facebook would be crushed under the weight of an onslaught of spammers.

Open registration would indeed provide access to spammers, but Facebook was also neglecting its key demographic: A certain Websense employee who was still in high school when he decided he was too cool for school and instead opted to begin exchanging code for paychecks. He appreciates the invite; Thanks, Mark!

But Facebook engineers showed a little ingenuity and, with improved privacy options and some very aggressive spam filtering, the site has largely retained its reputation as "Spam Proof". The initial furor over open registration quickly subsided as it became clear that the accuracy of the doomsday predictions was on par with one of Miss Cleo's prophecies. Most people are now in agreement that open registration was a Good Thing.

Developers! Developers! Developers! Developers! Developers! ... Developers?

Last month, Facebook continued the trend of opening up their site with the release of their Developer API – dubbed "Platform". Once again, a vocal minority was convinced that Facebook was on the verge of perishing. However, I threw on some rose-colored shades and promptly ignored the naysayers because Platform is nothing short of awesome. Still, the added functionality clearly makes the site less "Spam Proof" than it once was, and the site becoming saturated with unwanted content is a very real concern.

One of the first Platform applications to be released was Marketplace (actually, released before the API was open to the public). The application – developed internally by Facebook – is used for classified listings (akin to craigslist). If you have never used craigslist, you might be shocked to learn that spammers immediately began to capitalize on Facebook's Marketplace. Hard to believe, I know!

Spammers, come on down!

Amanda here has some free electronics to give away. She might even send a plasma TV your way. Right on, Amanda.

Amanda has friends in high places, and they hooked her up by putting some of her spam directly on my Home page.

Next up is my new favorite spammer, Tina. It looks like this is my last blog post because I'll be tendering my resignation tomorrow morning to accept a job offer from Tina. She's paying me $300,000 to work part-time from home.

Last, but certainly not least, we have Karli. I have a lot in common with Karli. She likes chocolate. I like chocolate.

It's all about the Benjamins.

These spammers aren't creating these profiles and posting these listings for their own amusement. Somewhere along the line, the spammers have to make a buck or it's simply not worth their time. But how do these random listings generate revenue? Let's take a closer look at one of Karli's postings: CHOCOLATE WONDERLAND!

Karli clearly wants us to check out her website. And I'm hungry. So let's go.

And there it is. This entire website is devoid of any meaningful content. It is completely filled with deceptively-placed Google advertisements. Click almost anywhere on this page and Karli gets paid (after Google takes their cut). Luckily, this page only contains advertisements, and not more nefarious content, such as malicious code.

We have to ask ourselves: how effective could this really be? How many people are actually going to follow this link and then click on an advertisement? Karli needs more traffic. What's a spammer to do?

Where there's a will, there's a way.

Astute observers of the screenshot above might have noticed the link that reads 'Join the largest "chocolate" themed group on facebook.' This link does actually take you back to Facebook, directly to a Facebook group called "ADDICTED TO ALL THINGS CHOCOLATE!!!"

This group is actually a clone of a nearly identical group by the same name (they have a different number of exclamation points). The original group has been around for quite some time and has over 8,000 members. It appears as if our spammer simply searched Facebook for an already popular "chocolate group" and copied it for her purposes. The spammer has made some curious additions to the original group. Specifically, a link to the spammer's website and the following block of text:

DO YOU WANT TO BE A GROUP OFFICER ????-

1) You must invite 'ALL' of your friends, then....
2) message me the "officer title" that you want.

Do it!! Its that simple.

Brilliant. To get around Facebook's tight spam filtering, the spammer has instead resorted to recruiting an army of unsuspecting users to spam on his/her behalf. Unfortunately, this new tactic appears to be incredibly effective:

Where's Matlock when you need him?

Up until now, every Facebook account involved in this saga has been a fresh account with a profile that makes it immediately suspicious: fake/absent photo, missing information, no friends/groups, no contact information. These profiles were created in an attempt to hide whoever was really behind the postings. However, the creator/owner of this fake group does not fit that description at all. He is a BYU alumnus whom is apparently a long-time Facebook user.

Is he the one responsible? Did he get careless, or does he just not care about his identity being discovered? Was the account compromised? Only Matlock and Facebook can tell for sure. (Note to Facebook: Matlock is retired; could you look into it instead?)

Returning salvo

Ten days have passed, but Karli is still alive and kickin'.

Now you know my shame. Alex's impotent rage. His guns don't fire. Take me away.

Alex Rice, arice || websense.com

Bookmark This Post:

Post a Comment: