The perpetrator of nearly 30 million Facebook spam messages surrendered to authorities last week. “Spam King” Sanford Wallace faces criminal charges that could land him in jail for perhaps more than 16 years. Wallace is alleged to have hacked roughly a half-million Facebook accounts, sending those obnoxious (and dangerous) wall posts which fool users into visiting websites that steal their personal information. By now, many Internet users are savvy enough to know better than to click on an email promising a prince’s trapped fortunes or free prescription drugs. But even if Wallace is found guilty and put behind bars, social networking scams appear likely to fool even sophisticated users. Why?
The answer lies in the fact that Facebook spam is different from normal spam: It is, as a 2008 paper by five University of Michigan researchers explains, “context-aware.” Normal spam, the authors note, is often a rather crude form of attack. A spam email claiming to come from, say, eBay might send out emails to millions of people, regardless of whether they have eBay accounts or not—leading to relatively low rates of “click-throughs.” Facebook, on the other hand, connects users based upon shared attributes: interests, locations, work and educational backgrounds, and more. This dramatically increases spammers’ ability to engineer attacks that are closely-tailored and seemingly authentic. Surveying the University of Michigan’s Facebook network, the authors found that “a spammer could target 85% of users who have visible profiles with context-aware attack email.” The authors recommend a series of steps Facebook could take to increase its users’ safety—for example, changing user names from text to images (the way email addresses currently appear in a Facebook profile) so that the information is more difficult to automatically copy; or, as part of what the authors admit is a more extreme approach, to “block most contextual information on profiles from being accessed by non-friends.” This would make Facebook less susceptible to attacks, but it would also make it less functional and interesting to use. That’s a fundamental problem of securing social-networking sites: Every defense option requires some trade-offs. The same openness that makes social-networking sites useful and fun makes them dangerous as well.