'Likejacking': Spammers Hit Social Media
By Olga Kharif on May 24, 2012
Michelle Espinoza thought a single photo was going to ruin her business. It was an image of one of the pearl cuff bracelets she designs that showed up on Pinterest, a site where users create virtual bulletin boards, grouping images in categories—whether it be chocolate desserts or bohemian jewelry. For 10 days in April, anybody who clicked on the photo ended up watching pornography or unwittingly downloading a virus. “I can’t gauge how many customers I lost,” says Espinoza, a resident of Santa Rosa Beach, Fla. “But I did have people messaging me asking, ‘Are you linked to spam?’ I was just distraught.”
When Pinterest debuted two years ago, e-mail was the format of choice for spam peddling diets, sexual enhancement, and get-rich scams. Better filters have since banished many of the unwanted missives from in-boxes. Instead, scammers are turning to social media sites that are often poorly equipped to deal with the influx. “Social spam can be a lot more effective than e-mail spam,” says Mark Risher, chief executive officer of Impermium, which sells anti-spam software. “The bad guys are taking to this with great abandon.”
Spammers create as many as 40 percent of the accounts on social-media sites, according to Risher. About 8 percent of messages sent via social pages are spam, approximately twice the volume of six months ago, he says. Spammers use the sharing features on social sites to spread their messages. Click on a spammer’s link on Facebook (FB), and it may ask you to “like” or “share” a page, or to allow an app to gain access to your profile.
Facebook and Twitter have hired programmers and security specialists to deflect the flotsam. “Tens of millions of dollars are spent on our site-integrity systems, including hundreds of full-time employees,” says Facebook spokesman Frederic Wolens.
In January, Facebook sued advertising network Adscend Media, accusing it of sending unsolicited messages to Facebook users. A typical lure cited in the suit: “You will be SHOCKED when you see this video. Simply “Like” this page to see the video.” By clicking on a link, some users may unwittingly “like” the spam, a practice security experts call “likejacking.” At least 280,214 users were tricked into interacting with spam. About 80 percent of Adscend’s monthly revenue of $1.2 million comes from Facebook scams, according to the suit. Adscend denied the allegations and settled the case this month for $100,000. The company did not respond to e-mailed requests for comment.
Twitter last month sued spam software makers Skootle and JL4 Web Solutions, plus five individuals, claiming that they were responsible for spam that resulted in some users canceling accounts. Twitter, in the suit, said it spent more than $700,000 to combat spam attacks by the defendants. Skootle has denied wrongdoing. JL4 has yet to respond to the complaint.
Pinterest encourages users to form a virtual neighborhood watch and report spam before it spreads. Last month the site put up a blog post urging visitors to use its “Report Pin” button to tag spam.
On Pinterest, spam often lurks in the embedded links attached to photos, making it tricky for users to spot. Espinoza, the jewelry maker, said she contacted the company at least 10 times in as many days before the fraudulent links tied to images of her bracelets were banished. Pinterest declined to make executives available for an interview. “Our engineers are actively working to manage issues as they arise and are revisiting the nature of public feeds on the site to make it harder for fake or harmful content to get into them,” said a spokesperson in an e-mailed statement.
The bottom line: Largely exiled from e-mail, spammers are invading Facebook, Twitter, Pinterest, and other social networks.
Kharif is a reporter for Bloomberg News and Bloomberg Businessweek in Portland, Ore.