Exploiting the popularity of social networks for the purposes of distributing spam, malware, and phishing attacks is quite a common technique these days. Spam attacks via social networks grew dramatically between April and June 2011. Over this period, we monitored and analyzed social network spam attacks that used three popular social networking sites—Facebook, Twitter, and YouTube.
The graph below demonstrates the volume spikes for social network spam from April 1 to June 15:
One of the obvious patterns seen in the graph above is the rise in the number of attacks on one social networking site, then an abrupt fall, and then a shift to the next social site, as if following a cyclical pattern. We observed a sudden surge in the number of attacks on Facebook, then a peak, and then a drastic decline. While the attacks on Facebook declined, we observed a rise in attacks on Twitter, which then gradually waned out, followed by a surge of attacks on YouTube. The average life span of each social network spam attack is between 15 and 20 days.
The below graph shows the spam percentage shared by these attacks. Spam using the Facebook template contributed 40% of the total social network spam in this period:
Figure 1. Social network spam volume
Most of the spam originates from botnets. When the originating IPs were analyzed (as shown in the graph below) it was found that 53 percent of the social network spam originated in the United States. Another 19 percent originated from various European countries. Most of these IP addresses were blacklisted by reputation-based technology because of their spam involvement. Along with bot activity, some spam samples are seen to be sent through hijacked user accounts and fake social network accounts created by the spammers.
Figure 2. Geo-origin of social network spam attacks
Social network spam uses legitimate email notification templates from the social networking sites. The message alleges that the user has some unread messages or pending invites and a fake link is provided. The bogus link will direct users to a website that forces the download of malicious binaries, purports to be selling cheap enhancement drugs and replica products, pushes fake gambling casino sites, or advertises online adult dating sites, etc.
Below are some examples of related spam messages:
The most common subject lines used in this case are as follows:
Subject: Hi, you have notifications pending
Subject: Oops.. You have notifications pending
Subject: Hi, You have 1 new direct message
Subject: You have 2 direct message on Twitter!
Subject: YouTube Administration sent you a message: Your video has been approved
Subject: YouTube Administration sent you a message: Your video on the TOP of YouTube
Subject: Direct message from [removed]
Subject: Warning: Your inbox is full, message not accepted
Subject: [removed] sent you a message on Facebook...
Needless to say, none of these social network sites are behind these spam attacks. Social networks are employing a variety of techniques to protect users from such attacks and fraudulent activities involving user accounts. For instance, in early May 2011, Facebook deployed clickjacking and self cross-site scripting (XSS) protections. (See the Facebook security page for more details.)
The huge user bases and growing popularity for each of these social networks are perhaps the main reasons that spammers are continually lured into this lucrative “business.”
Note: Thanks to Sujay Kulkarni and Christopher Mendes for their contributions to this blog.