Hackers, spammers will target Facebook Messages, say experts
Addition of e-mail to inbox, Koobface-hijacked accounts lead concerns by security pros
Computerworld - Facebook's revamped Messages will be a very attractive target for spammers, scammers and malware makers, security experts said today.
Facebook countered, saying that it has implemented new measures to protect users, including third-party anti-spam filtering of inbound e-mail.
On Monday, Facebook unveiled its new Messages, which adds e-mail to the ways members can communicate with friends. An all-in-one inbox collects Facebook messages, instant messages, text messages and e-mail into a single view.
The addition of e-mail means that spammers and scammers have yet another way to reach users, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos.
"Historically, Facebook has implemented no filtering mechanism on its messaging that I know of," said Wisniewski. "We've seen repetitive attacks using Facebook messages and chat that Facebook has had trouble stamping out."
Wisniewski compared Facebook's history of combating spam with Google's Gmail, and gave the thumbs up to the latter. "In Gmail, it's not impossible to spam, but it's difficult.... Gmail does a pretty damn good job of protecting users."
In a reply to questions, a Facebook spokesman said that the company has contracted with a third-party vendor to "supplement our spam detection and protection for messages sent from e-mail addresses off of Facebook." Facebook would not reveal the anti-spam provider, however.
Because, as Wisniewski put it, "mail is mail," he expects scammers and spammer to quickly add Facebook addresses -- which the social networking site is handing out to members -- to their lists.
"This won't end spam as we know it," added Dylan Morss, a senior manager in Symantec's anti-spam engineering group. "One of the things to note about Facebook Messages is that it integrates existing communication methods, like e-mail and chat, but these are already sources of spam and malware."
Both Morss and Wisniewski acknowledged that much of Facebook's anti-spam or anti-malware efforts have yet to be revealed because Messages has yet to roll out to all users. "Like Donald Rumsfeld said, 'There are known knowns ... there are known unknowns ... [and] there are unknown unknowns," said Wisniewski, quoting the former Secretary of Defense.
But some things are clear.
Facebook will let users restrict the messages that appear in their inbox to friends only, or select "Friends of friends" to expand the list. By default, mail from others -- those outside the friends or friends of friends circles -- drops into a mailbox labeled, not surprisingly, "Other."
But that won't prevent the spreading of spam and malware from legitimate accounts that have been hacked by criminals.
Of particular concern, said both experts, is the Koobface worm, malware that's targeted Facebook and other social networking services for more than two years. Koobface tries to trick users into clicking on a link to a malicious download, which in turn hijacks their accounts to Facebook, MySpace and other sites.
- Could you quit Facebook for 99 days?
- Facebook is a school yard bully that's going down
- EPIC says Facebook 'messed with people's minds,' seeks FTC sanctions
- 7 things you need to know about Facebook's mood experiment
- Facebook emotional manipulation test turns users into 'lab rats'
- Facebook tries to stop Snapchat drain with Slingshot
- TMI! Facebook moves to stop over-sharing
- Inside Facebook's brilliant plan to hog your data
- Facebook shows mobile app developers the money with new ad network
- Facebook unveils anonymous app log-ins
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!