Hackers, spammers will target Facebook Messages, say experts

Addition of e-mail to inbox, Koobface-hijacked accounts lead concerns by security pros

Facebook's revamped Messages will be a very attractive target for spammers, scammers and malware makers, security experts said today.

Facebook countered, saying that it has implemented new measures to protect users, including third-party anti-spam filtering of inbound e-mail.

On Monday, Facebook unveiled its new Messages , which adds e-mail to the ways members can communicate with friends. An all-in-one inbox collects Facebook messages, instant messages, text messages and e-mail into a single view.

The addition of e-mail means that spammers and scammers have yet another way to reach users, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos.

"Historically, Facebook has implemented no filtering mechanism on its messaging that I know of," said Wisniewski. "We've seen repetitive attacks using Facebook messages and chat that Facebook has had trouble stamping out."

Wisniewski compared Facebook's history of combating spam with Google's Gmail, and gave the thumbs up to the latter. "In Gmail, it's not impossible to spam, but it's difficult ... Gmail does a pretty damn good job of protecting users."

In a reply to questions, a Facebook spokesman said that the company has contracted with a third-party vendor to "supplement our spam detection and protection for messages sent from e-mail addresses off of Facebook." Facebook would not reveal the anti-spam provider, however.

Because, as Wisniewski put it, "mail is mail," he expects scammers and spammer to quickly add Facebook addresses -- which the social networking site is handing out to members -- to their lists.

"This won't end spam as we know it," added Dylan Morss, a senior manager in Symantec's anti-spam engineering group. "One of the things to note about Facebook Messages is that it integrates existing communication methods, like e-mail and chat, but these are already sources of spam and malware."

Both Morss and Wisniewski acknowledged that much of Facebook's anti-spam or anti-malware efforts have yet to be revealed because Messages has yet to roll out to all users. "Like Donald Rumsfeld said, 'There are known knowns ... there are known unknowns ... [and] there are unknown unknowns," said Wisniewski, quoting the former Secretary of Defense.

But some things are clear.

Facebook will let users restrict the messages that appear in their inbox to friends only, or select "Friends of friends" to expand the list. By default, mail from others -- those outside the friends or friends of friends circles -- drops into a mailbox labeled, not surprisingly, "Other."

But that won't prevent the spreading of spam and malware from legitimate accounts that have been hacked by criminals.

Of particular concern, said both experts, is the Koobface worm , malware that's targeted Facebook and other social networking services for more than two years. Koobface tries to trick users into clicking on a link to a malicious download, which in turn hijacks their accounts to Facebook, MySpace and other sites.

"The more ways Facebook [users] have to communicate, the more attractive it is as a target for Koobface," said Wisniewski. "I wouldn't be surprised if a new version of Koobface quickly appears [to take advantage of the new Messages]. That way, spam or malware would look like it's coming from a trusted friend."

Morss agreed. "Hacked Facebook accounts in general are a problem," he said. "That's the thing about social networking. You're putting your information on the Internet. But now you have to be careful about who you put in your inbox."

Facebook said its existing technologies are designed to detect hijacked accounts and react to spam emanating from them.

"These include complex automated systems that work behind the scenes to detect and flag suspicious behavior, based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad," the company spokesman said in an e-mail. "Once we detect a phony message, we delete all instances of it across the site."

On the plus side, said Morss, Facebook's move to separate known, and supposedly trusted, contacts from all others may be a boon in the long run. By separating messages into two "buckets" -- one for friends, the other for everyone else -- Facebook may jumpstart long-stalled similar efforts.

"That's been proposed several times in the anti-spam world, but it hasn't had resounding success in e-mail," said Morss, talking about whitelisting and identify verification technologies that have not caught on. "If people are able to adjust to a two bucket system, that in itself could help fight spam."

But he didn't have high hopes. "Spam is a constant arms race," said Morss. "When we put a pretty good mitigation in place, the spammers eventually find a way around it."

In the end, Wisniewski and Morss said, the weak link is the user, not necessarily the technology, which means that people must remain vigilant.

"Be careful," urged Morss. "Don't click on links, don't open attachments you don't expect."

"There's been a lot of hype around [Facebook Messages] as a secure messaging platform, but if [messages] are coming from a friend, that's not going to change behavior," concluded Wisniewski.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosGooglesecurityWeb 2.0 and Web AppsinternetFacebook

More about FacebookGoogleSophosSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place