If you think the spam problem is bad right now — and it is, with more than 90 percent of email consisting of spam — the good news is it’s not going to get worse. The bad news is it’s going to get much worse.
Spam is a huge business and spammers, like all business owners, are always looking for new ways to lower costs, increase profits and get their products in front of more people. The efficiency of today’s spam filters and the fact that most Internet users have been trained to ignore any of the junk that does get through their filters had made that job much harder for the spammers.
So instead of continuing to bang their heads against the wall to come up with new spam salad subject lines or creative ways to spell Viagra, the spammers instead are busily finding entirely new methods of polluting the Internet. For years they’ve been using the comment fields on blogs and news sites to push their junk, and not they’re taking that one step further.
Many spammers now have large staffs of people working on nothing but building out completely fake personas for non-existent users on social networking sites and blog networks. The spammers use these personas to create accounts on Twitter, Facebook, Blogspot and other sites that have high levels of user interaction.
But these are not the easily identifiable spambots and fake profiles that have been cluttering these sites from the beginning. Instead, the personas have all of the attributes that one would expect in a real user, such as clearly defined interests, specific geographic locations, favorite bands and movies. The spammers who control these profiles are not using them to loudly and obviously push diet pills or porn, but are aiming to make them look as average and unremarkable as possible.
“Their goal is to be right down the middle, not too high or too low on the radar,” said Robert Hansen, a security researcher who discussed the new tactics during a webinar Wednesday put on by Black Hat and Dark Reading. Hansen, who has spoken with some of the spammers using these techniques, said that they can create as many as 500,000 to a million new personas in a single day.
A blog controlled by a spammer using one of these personas might have regular posts on the fake blogger’s favorite outdoor activity, comments on the weather in his fake hometown and even pictures. None of which would look suspicious to site operators.
“It’s going to be extraordinarily difficult for the operators of these social networking platforms to identify fake users,” Hansen said. “This could create a huge amount of havoc and strife on these sites. But they don’t want to stand out too much. This could spell disaster for anyone trying to figure out what’s real or fake.”
This tactic could be especially effective on a site such as Twitter where users rely heavily on shortened URLs that are difficult to identify without clicking. Most of the spammers on Twitter are simple to identify right now, as they have few or no followers and just post porn links or scam offers. But once they start taking the time to build followings with seemingly legitimate messages for days or weeks, things will get much messier.