Facebook admits to increased attacks by spammers
Published: 22 Apr 2008 17:10 BST
The popular social-networking site Facebook is coming under increased attack by spammers and phishers, the company's security chief has revealed.
Speaking at the Infosecurity Europe conference in London, Max Kelly said the attacks become serious over the past few months. "January was the month we became noticed by threatening elements," he said. "These are the same threats as any other large network would experience."
Kelly explained the hack attacks included non-specific threats, such as edge-of-network penetration attempts and application flaw exploits, and more specific threats such as phishing attacks against users, in the form of forged emails purporting to come from Facebook.
"We are definitely a target for spammers. Data harvesting has become an issue for us," said Kelly, adding that such harvesting attempts were generally unsuccessful but "that doesn't keep people from trying".
Kelly also said Facebook had come under attempted cross-site scripting (CSS) and SQL injection attacks, but that the security layer in Facebook's system was successful in intervening and notifying Kelly's security team of such attempts.
Read this
Q&A: Facebook and the price of user privacy
Aaron Greenspan warns that Facebook is sacrificing user privacy on the altar of hyper growth
Kelly detailed a case, recently pursued by his team, where an unknown subject was identified by the system as "using features in an automated fashion" — in this case, the subject was trying to scrape users' email addresses from the system. This was identified as being the prelude to a spam or phishing attack, and the attack was traced to a Seattle hosting service.
Facebook brought a lawsuit against the hosting service, which was subpoenaed. It appeared that the hosting service was being paid from shell companies in Canada and Cyprus, so Facebook sent investigators to those countries to track down the alleged spammers. "We took action against the individuals and the companies, and obtained an injunction against their use of Facebook," Kelly said. He also claimed Facebook had been awarded a $500,000 (£250,000) judgment in the case.
Speaking to ZDNet.co.uk after his speech, Kelly said he did not have specific data to describe the increase in attacks, but maintained such attacks were "definitely escalating". He added: "We're doing a lot more investigations — we're building up our team."
Asked about a privacy and security flaw that had been identified in Facebook's mobile variant last year — in which the user's contacts had their email addresses listed, regardless of whether those contacts had opted into revealing such details — Kelly claimed the scope for harvesting such details was "quite limited" because of the relatively small extent of each user's personal network. Anyone attempting to harvest such data "would have to go through a number of steps to get any data at all", he added, suggesting that it would not be worth a spammer's while to try harvesting email addresses in this way.
- Blog: Social networking and portability
- ICO: Data-protection spot checks due this year
- Infosecurity Europe 2008: Preview
- Security breaches down, says IT security report
- Facebook admits to increased attacks by spammers
- Security industry gears up for biggest UK event
- Vendors urged to take responsibility for security
- Media lobbying 'watered down' data-misuse laws
- HMRC data loss blamed on targets
- Former White House adviser talks mobile threats
- Security expert voices virtualisation concerns
- Lord: No proof any data was lost from HMRC
Did you find this article useful?
4 out of 8 people found this useful
- Share this article:
