CircleID

The latest Sophos Threat Report shows an upward trend in spam and identity theft through social networks. One of the examples Sophos gives is Facebook. In general Sophos claims that from 2009 to 2010 the spam, phishing and malware containing messages all doubled. Sophos explains the figures on its website thus:

• 40% of social networking users quizzed have been sent malware such as worms via social networking sites, a 90% increase since April 2009
• Two thirds (67%) say they have been spammed via social networking sites, more than double the proportion less than two years ago
• 43% have been on the receiving end of phishing attacks, more than double the figure since April 2009.

This makes the trend quite clear. I wonder if these figures were a part of the sharp drop in spam figures that was reported recently.

OPTA and social network spam

This is not something entirely new as OPTA, the Dutch spam and malware enforcement agency, has already fined a Dutch spammer for spamming on the Dutch social network site Hives. This private person sent 3.2 million unsolicited messages ("krabbels" which means "notes") to Hives members advertising his online game. OPTA decided that this is a form of unsolicited electronic message and stopped the spammers activities. The case was never taken to court as the spammer decided to pay the fine. Whether this was a world first, I can not say for sure, but I haven't heard of another example.

Spam and my Wordpress blog

Almost on a daily basis the spam filter of my blog catches a comment to an article saying "cool", "where can I subscribe", "keep up the good work" and all from very complex looking e-mail addresses at g-mail or hotmail. The good news is that WordPress has a functioning spam filter. What is the bad news when I answer or click on the spam message?

So Sophos' news may not be real news for us users of social network or blog sites. The success of social network sites means just another opportunity for the bad guys and another security hole to plug for technicians. Have you ever wondered what all these thousands of people click on when someone asks them whether LinkedIn really works? Click "like" if you read this?! They click on a daily basis by the thousands because an unknown somewhere in the world asks them to do so. Naivety? Good faith? Plain stupid? Or a sound investigation of the possibilities of LinkedIn? I personally have chosen never to click on these sorts of "like" requests. My advice to you is to not do so either.

Responsibility and social network sites

However, the owners of the social network or blog site have to recognize two things:

1. that they have a serious problem on their hands;
2. that they have a responsibility for the on-line safety of their customers.

Offering a service for free, should not release a social network site from responsibilities. It's not as if they do not intend to make money of their customers(' data). The service needs to be trustworthy as real life harm can come from phishing and identity theft and more so if the cyber criminals and spammers can use the service unhindered. On the other hand if Facebook remains structurally unsafe, people will eventually move elsewhere, I suppose, to another social website that does offer a better level of security. Awareness starts with signalling a problem and that is what the Sophos report offers to those who want to listen. For anti-spam authorities there is work for years!

Facebook may want to take this message seriously as EU parliamentarian L. van Nistelrooij just called for [Word Doc] EU legislation because of Facebook's (lack off) privacy policy. He states that self regulation does not work and has drawn his conclusions.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. Visit the blog maintained by Wout de Natris here.

Related topics: Cybercrime, Internet Governance, Malware, Policy & Regulation, Spam