Spammers get friendly with Facebook

Interested in a free iPad like the one your Facebook friend got by filling out a survey? Curious about that “friend” request from someone you don’t know?

Don’t click — it’s spam, or worse.

Such attacks, long common with email, are now migrating to social media. And Facebook, with its 500 million users, is the biggest target of all.

“It’s a spammer’s dream,” said Kurt Roemer, chief security strategist for software company Citrix Systems. “You have all your friends, business connections, who you do banking with, who you travel with — all kinds of aspects of your life.”


Facebook says fighting spam is a top priority and it employs a large team of investigators to do it. The company has successfully sued spammers, winning $2 billion in judgments. It has also added new security features, along with advice for users on how to protect against spam.

“It’s an arms race,” said Pedram Keyani, a member of Facebook’s Site Integrity team. “We are constantly adapting our strategy to handle changes in their tactics.”

The assaults on Facebook users have a common denominator, said Kevin Haley of Symantec, a major Internet security company.

“The relationships are what they’re counting on to help spread things,” he said. “If I can get you, then I can get all your friends and then I can get all their friends.”

Spammers make money by driving people to sites that pay them for clicks.

Phishing involves using fake messages to direct users to sites for knockoff products or to pages that can turn a computer into an automaton that floods friends with spam. One Internet worm hijacks Facebook accounts, sends messages to friends and harvests their accounts and passwords.

A user can also be tricked into downloading malware onto his or her computer, activated when the user clicks on a button on a scam Web page. Messages are then sent to the user’s friends, directing them to a website that infects their computers.

A technique called likejacking tricks users into “liking” a page when they visit. Once the users click the “like” button, the content shows up on their home page and can also appear on friends’ news feeds.

Carol Hoover, executive director of the Eyak Preservation Council in Alaska, may have been a victim.

“Somehow they became a friend of mine, stole my profile, my picture, emailed a lot of my friends in waves,” she said.

The fake Carol Hoover would chat with her friends, saying things like “Did you win your $50,000 yet?” “Have you heard from the Obama administration?”

She complained to Facebook, and the imposter was removed.

Though the amount of spam has grown, Facebook’s Keyani said the number of actual attacks in which a Facebook account or computer is taken over by spammers is less than 1% of the social network’s 500 million users. That’s still a lot of users — about 5 million.

Facebook has developed spam- and malware-detection systems.

One, called Linkshim, evaluates websites associated with spam attacks and redirects users to a warning page. Another, called Roadblock, looks for unusual activity from users, like massive email blasts. If a malware infection is detected, McAfee security software cleans up their account and logs them back on.

But the best anti-spam tool is user awareness.

“First review privacy settings,” said Roemer of Citrix. “If you let anybody find you, anybody’s going to find you. When it gets into friends of friends, anything can happen.”

Carey writes for the San Jose Mercury News.