Skip the navigation

Hackers, spammers will target Facebook Messages, say experts

Addition of e-mail to inbox, Koobface-hijacked accounts lead concerns by security pros

November 16, 2010 04:02 PM ET

Computerworld - Facebook's revamped Messages will be a very attractive target for spammers, scammers and malware makers, security experts said today.

Facebook countered, saying that it has implemented new measures to protect users, including third-party anti-spam filtering of inbound e-mail.

On Monday, Facebook unveiled its new Messages, which adds e-mail to the ways members can communicate with friends. An all-in-one inbox collects Facebook messages, instant messages, text messages and e-mail into a single view.

The addition of e-mail means that spammers and scammers have yet another way to reach users, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos.

"Historically, Facebook has implemented no filtering mechanism on its messaging that I know of," said Wisniewski. "We've seen repetitive attacks using Facebook messages and chat that Facebook has had trouble stamping out."

Wisniewski compared Facebook's history of combating spam with Google's Gmail, and gave the thumbs up to the latter. "In Gmail, it's not impossible to spam, but it's difficult.... Gmail does a pretty damn good job of protecting users."

In a reply to questions, a Facebook spokesman said that the company has contracted with a third-party vendor to "supplement our spam detection and protection for messages sent from e-mail addresses off of Facebook." Facebook would not reveal the anti-spam provider, however.

Because, as Wisniewski put it, "mail is mail," he expects scammers and spammer to quickly add Facebook addresses -- which the social networking site is handing out to members -- to their lists.

"This won't end spam as we know it," added Dylan Morss, a senior manager in Symantec's anti-spam engineering group. "One of the things to note about Facebook Messages is that it integrates existing communication methods, like e-mail and chat, but these are already sources of spam and malware."

Both Morss and Wisniewski acknowledged that much of Facebook's anti-spam or anti-malware efforts have yet to be revealed because Messages has yet to roll out to all users. "Like Donald Rumsfeld said, 'There are known knowns ... there are known unknowns ... [and] there are unknown unknowns," said Wisniewski, quoting the former Secretary of Defense.

But some things are clear.

Facebook will let users restrict the messages that appear in their inbox to friends only, or select "Friends of friends" to expand the list. By default, mail from others -- those outside the friends or friends of friends circles -- drops into a mailbox labeled, not surprisingly, "Other."

But that won't prevent the spreading of spam and malware from legitimate accounts that have been hacked by criminals.

Of particular concern, said both experts, is the Koobface worm, malware that's targeted Facebook and other social networking services for more than two years. Koobface tries to trick users into clicking on a link to a malicious download, which in turn hijacks their accounts to Facebook, MySpace and other sites.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!