Hackers, spammers will target Facebook Messages, say experts

Addition of e-mail to inbox, Koobface-hijacked accounts lead concerns by security pros

Facebook's revamped Messages will be a very attractive target for spammers, scammers and malware makers, security experts said today.

Facebook countered, saying that it has implemented new measures to protect users, including third-party anti-spam filtering of inbound e-mail.

On Monday, Facebook unveiled its new Messages, which adds e-mail to the ways members can communicate with friends. An all-in-one inbox collects Facebook messages, instant messages, text messages and e-mail into a single view.

The addition of e-mail means that spammers and scammers have yet another way to reach users, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos.

"Historically, Facebook has implemented no filtering mechanism on its messaging that I know of," said Wisniewski. "We've seen repetitive attacks using Facebook messages and chat that Facebook has had trouble stamping out."

Wisniewski compared Facebook's history of combating spam with Google's Gmail, and gave the thumbs up to the latter. "In Gmail, it's not impossible to spam, but it's difficult.... Gmail does a pretty damn good job of protecting users."

In a reply to questions, a Facebook spokesman said that the company has contracted with a third-party vendor to "supplement our spam detection and protection for messages sent from e-mail addresses off of Facebook." Facebook would not reveal the anti-spam provider, however.

Because, as Wisniewski put it, "mail is mail," he expects scammers and spammer to quickly add Facebook addresses -- which the social networking site is handing out to members -- to their lists.

"This won't end spam as we know it," added Dylan Morss, a senior manager in Symantec's anti-spam engineering group. "One of the things to note about Facebook Messages is that it integrates existing communication methods, like e-mail and chat, but these are already sources of spam and malware."

Both Morss and Wisniewski acknowledged that much of Facebook's anti-spam or anti-malware efforts have yet to be revealed because Messages has yet to roll out to all users. "Like Donald Rumsfeld said, 'There are known knowns ... there are known unknowns ... [and] there are unknown unknowns," said Wisniewski, quoting the former Secretary of Defense.

But some things are clear.

Facebook will let users restrict the messages that appear in their inbox to friends only, or select "Friends of friends" to expand the list. By default, mail from others -- those outside the friends or friends of friends circles -- drops into a mailbox labeled, not surprisingly, "Other."

But that won't prevent the spreading of spam and malware from legitimate accounts that have been hacked by criminals.

Of particular concern, said both experts, is the Koobface worm, malware that's targeted Facebook and other social networking services for more than two years. Koobface tries to trick users into clicking on a link to a malicious download, which in turn hijacks their accounts to Facebook, MySpace and other sites.

"The more ways Facebook [users] have to communicate, the more attractive it is as a target for Koobface," said Wisniewski. "I wouldn't be surprised if a new version of Koobface quickly appears [to take advantage of the new Messages]. That way, spam or malware would look like it's coming from a trusted friend."

Morss agreed. "Hacked Facebook accounts in general are a problem," he said. "That's the thing about social networking. You're putting your information on the Internet. But now you have to be careful about who you put in your inbox."

Facebook said its existing technologies are designed to detect hijacked accounts and react to spam emanating from them.

"These include complex automated systems that work behind the scenes to detect and flag suspicious behavior, based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad," the company spokesman said in an e-mail. "Once we detect a phony message, we delete all instances of it across the site."

On the plus side, said Morss, Facebook's move to separate known, and supposedly trusted, contacts from all others may be a boon in the long run. By separating messages into two "buckets" -- one for friends, the other for everyone else -- Facebook may jumpstart long-stalled similar efforts.

"That's been proposed several times in the anti-spam world, but it hasn't had resounding success in e-mail," said Morss, talking about whitelisting and identify verification technologies that have not caught on. "If people are able to adjust to a two bucket system, that in itself could help fight spam."

But he didn't have high hopes. "Spam is a constant arms race," said Morss. "When we put a pretty good mitigation in place, the spammers eventually find a way around it."

In the end, Wisniewski and Morss said, the weak link is the user, not necessarily the technology, which means that people must remain vigilant.

"Be careful," urged Morss. "Don't click on links, don't open attachments you don't expect."

"There's been a lot of hype around [Facebook Messages] as a secure messaging platform, but if [messages] are coming from a friend, that's not going to change behavior," concluded Wisniewski.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies