Are Spammers Moving to Social Networks?

MySpace this week won a ruling against Samford Wallace and Walter Rines, reinforcing the fact that there’s no love lost between big web sites and spammers. But it’s also a sign of an escalation of the war on spam.

Spammers are finding virgin territory in emerging messaging tools, including SMS and social networks. Ferris Research projects that Americans will receive 1.5 billion unsolicited text messages in 2008, double the number sent in 2006. And Nielsen calls mobile social networking the next big thing, estimating 2.8 million unique mobile MySpace users and 1.8 million mobile Facebook users in December 2007.

According to antispam firm Cloudmark, spammers are already embracing these new technologies: Between 15 percent and 30 percent of friend requests on some of the largest social networks lead to a spammy profile.

“A lot of people in antispam thought that the reason we have such a bad spam problem is that you can’t pin a reputation on the original individual who sent the mail, and that maybe social networks would be able to remediate that,” said Cloudmark researcher Adam O’Donnell. “But one of the main uses of social networks is getting back in touch with someone you have no real connection to, so you need to be able to leave that vector open for someone to friend you.”

This is an increasingly popular approach for spammers, who create an account and try to friend as many people as possible, then wait for people to view their profiles — which contain spam or links to other sites.

With a huge variety of ways to put content online, those sites can be almost anywhere. MessageLabs‘ Matt Sergeant calls Google Docs “the perfect way to spam,” explaining that hyperlinks in an unsolicited message might go to a Google Docs file containing Google Analytics’ tracking code, rather than a spammer’s server.

Spammers aren’t just pushing pharmaceutical sales, either; increasingly, the site recipients visit tries to inject malware that compromises a visitor’s machine. That machine then becomes a tool for denial-of-service attacks and sending spam, and may be used for keyboard logging and financial phishing. “There’s multiple products being pushed over the spam side,” said O’Donnell.