Facebook Study Shows Extent of Spam Wall Posts, Compromised Accounts

Someone has a crush on you. Get free ringtones. Check out this cool video.

It’s easy: Just click here.

For the 500 million Facebook users worldwide, these wall posts are a common stain on the fabric of social networking: malicious spam that redirects users to sites that ask for personal information or install viruses onto unsuspecting user’s computers.

But just how prevalent are these posts? How do they work? Where do they come from? Those are the questions that Yan Chen, associate professor of electrical engineering and computer science, and his collaborators at University of California Santa Barbara set out to answer when they conducted the first study that quantifies the extent of malicious content and compromised accounts in a large online social network.

Analyzing more than 187 million Facebook wall posts, the team found 200,000 malicious wall posts with embedded URLs, more than 70 percent of which linked to phishing sites. Their results could help programmers design automated detection techniques to detect online social spam.

The team used data culled from the Facebook walls of 3.5 million user accounts. By “crawling” user sites of eight regional networks (Egypt, Los Angeles, London, Monterey Bay, New York City, Russia, Santa Barbara, and Sweden) from April to June of 2009, researchers were able to download users’ publicly available wall posts from the last year and half. They then culled that down to the messages containing URLS — about 2 million.

Researchers then clustered the posts based destination URL or strong textual similarity, with the assumption that similar spam posts would come from the same spam campaign. They found about 200,000 posts were embedded with malicious URLS. They then analyzed the posts for their two distinguishing features: distributed coverage and “bursty” nature. Distributed coverage means the number of users that send wall posts. The “bursty” nature mean measuring the time interval between consecutive wall posts, since most spam campaigns involve coordinated action by many accounts. In the end, researchers found 297 clusters.

Using third-party tools to assess the malice of URLs in their dataset, researchers found that approximate 70 percent of malicious wall posts direct the victim to a phishing site, which asks the user for their password or other personal information. About 35 percent of malicious wall posts direct victims to sites laced with malware.

The vast majority of those wall posts — 97 percent — came from existing, hacked accounts.

“It’s much easier to create a fake account, but attackers who hack into existing accounts can have a higher rate of success because there is a level of trust among real friends,” Chen said.

The number one ploy was a message that said someone had a crush on the user. Tempting, no doubt, but Chen urges Facebook users to stop and think before they click.

“Don’t trust a wall post even if it’s from your friends,” he says. “And alert your friends immediately.”

The attacker usually has control of the account for a short period of time — about 80 percent of the malicious accounts are active for less than 1 hour. Most malicious wall posts are posted at 3 a.m. — when most users are asleep.

So how can online social networks fight back against spammers? Facebook has started trying to eliminate fake accounts: It has launched a new feature where users can reject friend requests as “don’t know.” Facebook collects this information to identify and remove spammers.

Chen and his research group have previously analyzed attacking strategies of spammers and designed intrusion detection and prevention systems for networks. Real-time detection of spammers that compromise existing social networking accounts is still far off, however.

“We need much more research,” Chen says. “It’s very difficult. There’s no good solution yet. Attackers are becoming a lot more powerful. They have their own mature society — their own forums, banks and markets, and they often prey on security breaches that have already been fixed with patches. We need more people to be aware of security problems in order to stop them.”