Almost every few hours for a week I’ve been getting messages from my Facebook acquaintances with links to some phishing sites. These are not even very sophisticated messages — instead, they’re random links to utterly evil sites such as atreps.at, greenbuddy.be and nudz.ru. There have been reports of these phishers using TinyURL Web address shorteners. Some have subject lines such as “Look at This” or “Hello.” According to Inside Facebook, these attacks impact less than 1 percent of Facebook users.
With around 225 million users, that works out to about 2.25 million people affected by these spam messages. Given that I have thousands of friends on Facebook, the problem seems to be particularly severe for me. (Take our poll below to let us know if you have been impacted by this spam.) The intensity of these phishing attacks has been escalating. Even though Facebook isn’t alone in facing these problems, it is certainly the largest social network to encounter them. Facebook has still not been able to fix the month-old problem that is spreading. It has some suggestions on how to avoid these scams, but I don’t think it is enough. If there is any upside of walled garden communities, it is that they should be able to avoid these kinds of problems.
What’s worse, is that these spam messages prompt “group responses” from people who either decry them as junk or warn people not to fall for them. The more such messages, the less useful Facebook becomes as a communications platform. Facebook management needs to understand that these attacks are a clear and present danger for their platform.
You’re absolutely right and we’ve seen this before.
If Facebook wants to be profitable, they need to keep their legitimate audience (vs/ spammers and fake accounts). When good users are driven from the site, FB loses too (see: MySpace).
I suspect a lot of Facebook users are spammers (just a guess, no data) or Facebook is rather a spammer itself. I got this experience in my email account that I think is familiar to any Facebook users. I got invited by a few friends whom I haven’t contacted for a long time. I asked some of those long-time friends if they had ever invited me into joining them on Facebook. They said “never did that.” So, who did?
Facebook Connect is part of the problem here. Encouraging people to enter their password on to pages linked from other Web sites is always dangerous and just encourages phishing.
The password page needs to make it absolutely clear that it is a legit Facebook page asking for the password; relying on users to check the URL won’t work as we’re seeing.
Image verification should help tremendously with this.
Personally I find that Twitter is way more spammed than Facebook. Twitter is the new Spam eldorado.
Need more poll choices – fairly mild for me but definitely apparent!
Because anything worth looking at is worth spamming, FB should hope to see more of this.
My email account is spammed more than my facebook account at this point in time.
I personally have stopped logging into facebook because of the amount of internal spam – meaning spam from my friends! Some things are nice to see, like new kids and change of locales and other news, but there are some comments that literally waste my online time. This is why I’ve reduced my facebook visits to about once a month to check my inbox only and log out. Twitter is another place for spam as well. All these online communities with high traffic are bound to be targets for spam.
It has really became utter nuisance in the recent times. and there have been plenty of my gullible friends who has fallen victim of this outbreak. as you receive plenty of links from your trusted friends with updates/ notes / news clips /site recommendations/ applications, this phishing sites comes in quite as disguise (i mean without triggering second thought about any wrong). i personally have been more vigilant on what i click on any social networks now realizing the threat that exists in the platform. its becoming a big concern and i’m sure it will continue to grow. i will not be surprised if people start cutting back on their stay on such social sites in an effort to minimize exposure t o such risks.
Om
You need a choice in the poll for people like me. I received 1 spam email, but I don’t use FB heavily. db
Some things are nice to see, like new kids and change of locales and other news, but there are some comments that literally waste my online time.
There should be ways to control the spam on mails and profile. Greasemonkey has some scripts to do so, but facebook should encourage itself do do these changes.
this happened to me like 2 days ago… got a mail from a friends account sayin “hi, see this” and I clicked on it…
Thanks to Google chrome, it detected it to be a phishing site….
never thought that facebook would have spam mails… specially since i had never recd any b4….
well, as i’ve said elsewhere, facebook could consider launching a *real* messaging program, ideally “myname@facebook.com” and perhaps run it through gapps (or a special hosted gmail through elgoog, or with yahoo, or with hotmail/ms) – this would add folders, forwarding, tagging, **spam reporting** and all of the features or a real communication tool…since so many are using FB for messaging, it would be a nice step forward…for now, it’s still lightweight and prone to such crap…
Till now i’ve not been hit by these spam.
But i liked the article nice work sir.
Keep it up.:)
I got another phishing message this morning from a fb friend – can you explain how they come from friends? Have their accounts or email accounts already been corrupted? Do the people who send them unwittingly know they have been sent from their fb message accounts?
sorry for the naivity- knowledge is power and we must rise up against this foe!!! (lol)
I had my Facebook account hacked into by a scammer* eight days ago. My account was subsequently disabled without any explanation. I’ve sent multiple emails to Facebook customer support without any response. This took the annoying email spams to an entirely new level. I heavily rely on Facebook to keep in touch with friends and family members and for my professional role as a director of communications.
*I can only assume the account was hacked into as I do not believe I violated the TOS.
Om,
Be aware that tinyurls can be set up so that they take you first to the phisher’s server and then to whatever destination you expected. I would assume that means they get your IP address, which makes it easier to
attack in even worse ways. Think about what that means for Twitter.
PJ
No I haven’t had any spam, but, I used to get it a hell of a lot on Bebo, which is why I stopped using it. I never signed up for anything out of what you do on Bebo, so, yeah the same thing is probably happening here on FB. People purposely aim to destroy the credibility of a popular website. In all honesty, perhaps it could even be a war between Facebook and Twitter when you think about it. Perhaps, just humour me for a sec, perhaps programmers are hacking Facebook from Twitter, then the reverse is happening, FB backhacking Twitter. It’s a real problem that you see with any Networking website eventually… Also my point, think about this… If there weren’t viruses, there wouldn’t need to be Virus Detection Programs such as Trend Micro, Norton 360 or McAfee. Yes some people do release viruses, but, wouldn’t it be more convenient for the actual Virus Protection company to release the viruses themselves, that they know their program can fix? It’s all really in the end about revenues and profits and who’s business is better and quicker to respond.
Yesterday my Twitter account was hacked and there was a spam message posted from my account. Check out @ http://bawaal.com/blog/?p=295
YES! definitely!
Dear facebook,
I have discovered several severe holes in the site that should have been caught by
Quality Assurance, but somehow have slipped through and remain on the site.
These are not security holes, but holes that are liable to
slowly erode the face of facebook and dissolve confidence in the product by
many members and most hurtful, non-members.
In the invite feature of fb, I accidentally accepted the fb
feature to invite every single person that I have every emailed, CCed, or BCed
in my entire life from Gmail. (hmm, a warning message would have been nice,
once clicked, surely I would not have wanted to do that.)
Once clicked, I immediately realized my mistake. After the initial
embarrassment of inviting my whole world, I got over it as “oh well, my
mistake.”
However, no daily email spam is sent out to these contacts, harassing
that they join! Many unpleasant folks have contacted me and are very irritated
at me and fb!
I found a way in fb to remove all of these accidental
invites, but it conveniently doesn’t seem to work correctly.
The following process/path I used and the error that I was
confronted with:
facebook > friends > invite friends > View all
invitations > Select: Not Yet Joined
:: Popup Delete Entries? “Are you sure you want to delete these 100
entries from your Invitation History?” Delete
Oops!
“Something went wrong. We’re working on getting this
fixed as soon as we can. You may be able to try again.” OK
Could somebody else or a team of people, try hard to
improve this site with very simple enhancements?
Update: fb requires you delete these invites one by one. Deleted.
However, here it is a week later and the weekly fb spam has been sent
out to all of the formerly invited contacts again!!! What a joke!
Horrible business practice!!
My friend said “I LOVE YOU!” with a link, and I knew it was spam.
My facebook has recently been sending everyone those bloody stupid links. I don’t know why. I have changed my password and it has seemed to have stopped for the moment. But, I mean what is the actualy intention of these??
I think one of my friends has set up fake accounts under other friends names. I have received mails from these friends. I just wondered if there was a way to tell if these messages came from the same computer. Can anyone help me?
people are so stupid at this stage, i dont understand how hundreds of people keep falling for it..and them spam emails you get are because of facebook too…you sign up to facebook with your email address so if you click on a spammed page they get access to your email…very annoyin!