ITBusiness.ca

Spam, bam, no thank you ma’am – Twitter and sultry spam attacks

Computer security blogger Graham Cluley felt pretty popular when young brunettes began inviting him to view pictures and videos of them posted on the Web.

The chief technology consultant at U.K.-based security vendor Sophos Plc. was using Twitter to promote his blog and started receiving the sultry messages shortly after creating his account.

But to his dismay, the messages weren’t what they seemed.

“Young women are all very interested in following me on Twitter right now,” he says. “But when I looked into their profiles, it was a bit suspicious, because they only had one message and no followers.”

Upon further investigation of the links in the messages, Cluley was led to a dating site for young singles.

It turns out that those brunettes with cryptic user names such as “anabel0msg”, “eun2lictmf”, and “dann1jiwep” weren’t fans of Cluley’s blog at all. In fact, they were spammers. The same people in the business of flooding e-mail Inboxes with advertising and sometimes malicious messages are turning their attention to social networks.

These Twitter messages are sent from spam accounts.

Spam has been surfacing on social networking sites such as Facebook, MySpace and Twitter for months. But Twitter, the micro-blogging site, was the focus of spam attacks last week. It was likely an experiment to see if the network could be exploited, likely with a semi-automated process.

The user IDs appear to be randomly generated. The messages also look like they are automatically created.

“They’re not names that people would’ve typed like ‘Sexy Sadie’ or something,” Cluley says. Many of the messages are similar with just one word changed – “sometimes it’s honey, sometimes its sweetie, sometimes it’s cutie.”

Twitter could be more susceptible to spammers than other social networks that allow users to control who they communicate with, says Tim Hickernell, senior research analyst with London, Ont.-based Info-Tech Research Group. On Twitter, your feed can be followed by any other user unless you ban them or choose to remain private.

You can also receive direct messages from any other user. This allows automated spam bots to conduct a “dictionary attack” by sending messages to random user IDs and hoping some hit the mark.

“A lot of spammers get these lists of e-mail addresses to exploit,” Hickernell says. “It’s not a big leap to plug those into Twitter and see if you get the same user IDs there.”

Social networks such as Facebook have a built-in protection against spam by allowing users granular control over what messages they receive. Users have control over their friends’ list and authorize those they communicate with, says Jaime Schopflin, international communications at Facebook.

A setting is available to block out all messages from users not on your friend’s list. Also, users are not likely to tolerate any spammer activity.

“Our users are pretty effective at sending us notes and reporting these types of things,” she says.

“On Twitter it is a pain to moderate all of your followers,” Hickernell says. “Twitter needs to become more social network-like, so users can define their own network of friends.”

Recent spam incidents have prompted the Twitter team to react. They’ve created an account where users can report spam messages they receive and will investigate suspected spammers and possibly delete the accounts.

“But of course, spammers can just open up another account,” Cluley says. “It’s very quick and easy to do.”

Twitter has also changed its policy for users that are under investigation. Previously a warning would appear on the user’s page and all their past messages (or “tweets”) would be shown. But now the messages have been removed from pages under suspicion of spamming.

The micro-blogging site has also recently removed a search feature that allowed a user to see all tweets featuring certain keywords. This is likely because the service was being abused by spam bots, Hickernell says.

“The dirty little secret here is Twitter is growing so fast that they can barely keep up with offering its current level of service,” he says. “Forget about finding ways to upgrade the service.”

ITBusiness.ca requested an interview from a Twitter spokesperson, but didn’t receive a response by time of publication.

Currently, spam is a small fraction of the messages that appear on social network sites. But it could be that spammers are turning their attention to such Web 2.0 sites in the face of evolving anti-spam technology in e-mail.

E-mail currently remains the top form of sending spam, dominating about 90 per cent of all traffic at the network level, according to Symantec Corp.’s monthly anti-spam report.

But that could change soon if Twitter doesn’t react with some stricter measures to block spam, according to Hickernell. One easy way to do so is to add a test to verify that a user sending a message is a human and not a scripted bot.

“You see a distorted image and you have to type in with case sensitivity what you see,” he says. “Most bots can’t get past this.”

The security measure could be used to verify human users created accounts, or even verify each message sent to a user you’re not already following.

If such measures were put in place, Cluley might have less brunettes responding to his blog updates.

Exit mobile version