Professional Documents
Culture Documents
of
Contents
Executive
Summary.3
Research
Methodology.4
Key
Findings.4
Introduction.....5
Types
of
Social
Spam..6
Link
Spam..6
Text
Spam.....8
Case
Study:
Spam
in
Action.12
Leading
Entertainment
Brand......12
Major
Sports
League13
Social
Spam
Communication
Mechanisms.14
Spammy
Apps..15
Like-Jacking.....16
Social
Bots.16
Fake
Accounts.......17
Social
Spam
Trends....19
Chart:
Grown
Percentage
of
Spam
vs.
Comments
Across
All
Social.......20
Conclusion....20
About
the
Author.21
References.......21
Executive
Summary
Spam
has
been
around
since
the
beginning
of
electronic
communication.
Spammers
have
adapted
the
technology
of
the
time
-
whether
the
telephone,
email,
or
social
media
-
to
reach
as
many
users
as
possible
and
to
line
their
pockets.
Today,
social
media
spam
(or
social
spam)
is
on
the
rise.
During
the
first
half
of
2013,
there
has
been
a
355%
growth
of
social
spam
on
a
typical
social
media
account.
Spammers
are
turning
to
the
fastest
growing
communications
medium
to
circumvent
traditional
security
infrastructures
that
were
used
to
detect
email
spam.
The
impact
of
social
media
spam
is
already
significant
-
it
can
damage
brand
appearance
and
turn
fans
and
followers
into
foes.
To
make
matters
worse,
a
spammy
social
message
isnt
just
seen
by
one
recipient,
but
by
potentially
all
of
the
brands
followers
and
all
of
the
recipients
friends.
Social
spam
transforms
one
of
the
greatest
assets
of
social
media
marketing
its
multi-dimensional
nature
against
the
brand.
As
social
media
spam
has
increased,
so
too
have
the
different
types
and
mechanisms
of
its
distribution
across
Facebook,
YouTube,
Google+,
Twitter
and
other
social
networks.
Link
and
text-based
spam
have
evolved
to
adapt
to
the
social
medium.
Link
spam
takes
the
form
of
just
the
URL
with
no
surrounding
text,
prompting
a
curious
and
unsuspecting
user
to
click
on
the
link
to
the
spammers
website.
Text
spam
includes
phishing
attacks
that
often
ask
for
personal
information
or
money,
and
chain
letters,
which
may
make
a
threat
or
sympathetic
plea
prompting
the
user
to
circulate
the
spam.
Social
media
has
also
led
to
new
methods
of
delivering
spam,
such
as
spammy
apps,
so- called
Like-Jacking,
social
bots,
and
fake
accounts.
Spammy
apps
offer
to
perform
special
tasks
outside
of
social
media
networks
original
features.
With
Like-Jacking,
instead
of
clicking
on
malicious
links,
victims
may
be
tricked
into
clicking
on
images
that
appear
as
likes
or
other
seemingly
harmless
buttons.
Social
bots
and
fake
accounts
are
used
to
infiltrate
the
victims
social
media
world.
Together,
these
new
attack
methods
can
significantly
detract
from
a
brands
social
media
presence
and
their
social
marketing
ROI.
Nexgates
research
team
has
investigated
these
and
other
trends
in
social
media
security,
and
has
revealed
some
interesting
statistics
on
the
fast-growing
social
media
spam
phenomenon.
Our
findings
show,
for
example,
that
only
15%
of
all
social
spam
contain
a
URL
that
security
systems
detected
as
spammy,
and
at
least
5%
of
all
social
media
apps
are
spammy.
We
explore
these
results
and
more
in
the
enclosed
first
annual
2013
State
of
Social
Spam
report
written
by
our
data
scientist
research
team.
risen 355%
Research
Methodology
This
study
is
based
on
social
data
collected
from
social
media
networks
observed
by
Nexgate,
referred
throughout
this
paper
as
the
Nexgate
corpus,
which
was
collected
between
2011
and
2013.
The
social
media
networks
under
study
include
Facebook,
Twitter,
Google+,
YouTube
and
LinkedIn.
The
Nexgate
corpus
contains
over
60
million
pieces
of
unique
content
written
by
over
25
million
social
accounts,
including
the
top
five
most
prolific
and
trafficked
social
media
accounts
for
each
social
media
network
as
determined
by
Socialbakers
[8].
Importantly,
the
observed
social
data
is
the
fraction
of
content
that
was
publicly
available
on
the
aforementioned
social
accounts.
This
means
that
despite
the
significant
increase
in
spam
found,
the
data
in
this
report
is
only
a
fraction
of
the
total
risky
content
and
spam
on
any
account
that
has
been
manually
hidden
or
removed
by
the
owners
of
the
accounts
researched.
The
social
data
includes
all
text
communication
from
each
of
the
social
media
networks,
such
as
wall
posts
and
comments
from
Facebook,
or
tweets
and
retweets
from
Twitter.
We
restrict
our
study
to
public
information
available
from
the
social
media
networks
API.
Key
Findings
During the first half of 2013 there has been a 355% growth of social spam. 5% of all social media apps are spammy. 20% of all spammy apps are found on a brand-owned social media account. Fake social media profiles post greater volumes of content and more quickly than real profiles. Spammers often spam to at least 23 different social media accounts. For every 7 new social media accounts, 5 new spammers are detected. Facebook and YouTube provide the most spam content compared to other social media networks. The ratio of spam on Facebook or YouTube to the other social networks is 100 to 1. More spammers are found on Facebook and YouTube than any other social networks. 15% of all social spam contains a URL, often to spammy content, pornography or malware.
Facebook contains the highest number of phishing attacks and personally identifiable information more than 4 times the other social media networks. YouTube contains the highest number of risky content, or content containing profanity, threats, hates speech, and insults. For every 1 piece of risky content found on other social media networks, there are 5 pieces of risky content on YouTube
The rate of spam is growing faster than the rate of comments on branded social media accounts. 1 in 200 social media messages contain spam, including lures to adult content and malware
Introduction
Even
the
telegraph
in
the
late
19th
century
did
not
escape
spammers
(2).
Spam
was
popularized
in
the
late
1990s
and
early
2000s
through
email
messages,
such
as
the
infamous
Viagra
spam
emails.
These
days,
just
about
every
email
client
comes
equipped
with
a
decent
filter
that
can
stop
most
spam
before
the
end
user
ever
sees
it.
Corporate
spam
gateways
aggregate
traffic
at
the
network
perimeter
and
root
out
most
email
spam
before
it
even
gets
to
the
client.
Thus,
there
are
now
well-developed
infrastructures
to
detect
email
spam,
and
very
little
of
it
gets
through.
To
find
better
payoffs,
spammers
have
turned
to
other
electronic
mediums.
One
such
vulnerable
medium
is
a
social
network,
such
as
Facebook,
where
social
network
spam,
or
social
spam,
is
more
difficult
to
detect.
Social
spam
is
more
potent
than
email
spam
because
spammers
can
hit
targeted
audiences
more
easily
using
social-network-search
tools.
and
For
instance,
the
new
Facebook
Graph
Search
allows
a
user
to
PII
as
the
other
social
networks
precisely
query
a
specific
target
audience.
A
spammer
can
include
parameters
such
as
age,
location,
likes,
interests,
what
brands
a
user
follows,
connections,
and
more,
to
narrow
down
his/her
target
victims.
Additionally,
instead
of
being
seen
only
by
the
recipient
during
an
email
spam,
a
social
spam
may
be
seen
by
the
recipient
and
all
of
the
recipients
social-network
followers.
Furthermore,
if
the
recipients
content
is
public,
social
spam
can
reach
an
even
wider
audience;
In
fact,
up
to
40%
of
social
media
accounts
have
been
used
to
magnify
and
broaden
spam
distribution
(5).
Perhaps
the
greatest
motivation
for
spamming
is
to
seek
financial
gain.
An
easy
method
to
this
end
is
accomplished
by
attracting
traffic
to
sites
that
contain
advertisements,
or
ads.
A
spammer could be paid each time an advertisement is clicked, so finding an efficient method to send large volumes of traffic to a spammers ad site can generate a lot of money. This method of revenue generation is easy for spammers because users expend little energy when clicking an advertisement. Whats more, most spam victims dont realize exactly what theyre clicking on, since the lure can be anything social a picture of a child or something fluffy and cute, like a cat. This highlights another reason why brands need be relentless in removing spam from their accounts as it represents a triple threat to marketing ROI if a pages audience clicks on the spammers ad instead of the brands ad. Basically, it means the brand loses their focused advertising opportunity, the spammer gets a chance to improve their website rank at the expense of the brand, and the brand hurts trust with their audience by letting them be victimized. Other traditional spamming methods involve phishing attacks, which include obtaining the victims passwords or credit card details or injecting malware, which is software installed on a users computer to gather sensitive information. These latter methods are less popular (but still frequently seen) since, to proceed, they require more effort from the spammer and the user. However, if successful, they open opportunities to extract greater financial rewards from the victim. Social spam makes use of all of these traditional spamming methods seen in email spam, but given the possibilities of the social network medium, the set of mechanisms to spread spam are immensely expanded. Social spam, for example, gets distributed to hundreds, thousands, and even millions of people with one post. Email spam, by comparison, is one- to-one, requiring significantly more effort and with much higher barriers. While new, social spam marks the next phase of attack engineering by the bad guys. In this paper, we will explore social spam in detail.
There are numerous types of social spam strung across Facebook, YouTube, Google+, Twitter, and the other social networks. The two most frequent include link and text spam, and are described in detail below.
Link Spam
This
type
of
spam
may
be
observed
to
be
just
a
single
link
with
no
surrounding
text.
The
curious
and
unsuspecting
user
may
click
the
link,
which
would
send
the
user
to
a
spammers
website.
The
website
may
contain
ads,
which
could
generate
revenue
for
the
spammer,
or
install
malware,
but
the
typical
benefits
of
link
spam
helps
spamdexing.
Spamdexing
is
a
deceptive
technique
that
increases
the
spammers
website
rank
in
search
results.
To
entice
the
user,
there
may
be
a
short
phrase
accompanying
the
link
that
promises
easy
money,
pills,
porn,
etc.
Otherwise,
to
remain
mysterious,
the
link
can
be
very
vague.
Here
are
some
examples,
from
the
Nexgate
corpus
of
text
accompanying
link
spam:
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
Another
method
of
remaining
mysterious
or
vague
is
to
shorten
the
link
altogether
without
revealing
where
the
link
is
pointing.
As
more
people
share
legitimate
content
through
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
shortening-URL services, such as bitly (bitly.com) and TinyURL (tinyurl.com), determining spammy links becomes even more challenging. These links can also automatically send similarly spammy links to all of a users Twitter contacts. As described above, email infrastructure is typically advanced enough to filter many of these messages, including methods to black list URLs or filter text. For social media, however, few technologies exist to identify, classify, and remove spammy content and URLs, especially accurately, and many organizations today unnecessarily rely on manual, human review of every post and comment (which is extremely costly, time consuming, and error-prone), or simply have no defense and leave their followers to be victimized. Text Spam When given the chance to manifest their spam through engaging text, spammers content can become outright captivating. One such example is a chain letter. This type of spam threatens the recipient to distribute the message to as many people as possible or something horrible will happen. In some cases, the message may even be positive (e.g., $1 is given to cancer research for every share or like). These chain letters can contain a request to send money to the original sender. An example of a chain-letter spam, found in the Nexgate corpus, is given here:
Other
types
of
text
spam
request
the
recipient
to
respond
to
the
spammer
via
a
private
message
in
order
to
obtain
more
information.
These
are
typically
work-from-home
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
schemes that promise easy money. The spammer typically extorts money from the victim by charging a fee to join the program, or by selling overvalued products. The text may have an accompanying picture designed to further attract the attention of the victim. Such examples of these messages, observed in the Nexgate corpus, are included here:
The author of the following work-from-home spam knows that his message is too good to be true, and he understands that you might be doubtful about his claims. By deceptively admitting that most work-from-home schemes are a scam, the spammer aims to earn your trust by giving you advice on how to avoid other work-from-home schemes. However, the message itself is nothing but another work-from-home scheme.
Text spam may be used as phishing attacks, where the recipient is asked to verify their account using their credentials. These phishing attacks allow the perpetrator to gather identification information from the victim, which may then be used to gain access to other accounts, such as bank accounts. A few examples of these seemingly legitimate but exploitative attacks are shown here [9]:
Because this type of spam lives entirely within social networks, traditional spam technologies have no interception point or way to detect or deal with it. Regardless of the spam type, much of it is distributed on popular social media pages, and embedded deep within the comments of a particular post. Spammers hide their content here so its not easily noticed by the brand and community managers that patrol their pages, but leverage the broad reach / following of big brands so they can target the greatest number of people possible. Whats more, by tailoring their message, spammers can engage the interests of the brands followers in a particular show, product or celebrity, for example, thus increasing the spammers click rate.
Spam In Action
To provide an example of spam in action, weve detailed the spam facing two well-known brands, described below. We have kept the brands anonymous.
The first example is a company that is a leading media and entertainment firm. This company has built one of the largest online social communities across Facebook, YouTube, and Twitter. The brand contains hundreds of social media accounts, with roughly 50 million Likes on their busiest Facebook Page, and 240 thousand weekly unique posts. Given the popularity of this brand, this Facebook Page contains a large volume of spam content 1 in 7 comments contain spam content. About 3% of the spam found on this Page contains a spam link, and about 1.5% contains malware. The most frequent type of spam includes work-from-home schemes, which are distributed through many types of spammy applications. These applications range from simple publishing applications used on the desktop to applications found on smartphones. Other apps used to spam are created specifically for that purpose these types of apps and their examples are discussed and shown in the next section (Spam Communication Methods). As discussed, few spam-fighting technologies are developed and available today. Since there is no defined workflow or policy enforcement for detecting spam thats native to the social media networks, most accounts are at risk of spammers attacks. As more spam content is seen, the potential for the brand and its message to be diluted is increased, and trust is eroded with followers and fans. Because the brand is not protecting against spammers or fake accounts, it is also wasting financial resources in advertising campaigns
1 in 7
and promotional material, since spammers and fake accounts provide meaningless Likes and comments.
Comments
Spam
As seen from the graph above, which is plotted over a two-month period, the growth rate of social spam for this social account is increasing faster than the growth rate of comments. More specifically, while the rate of comments is growing linearly, the rate of social spam is growing exponentially. During the month of April 2013, the number of posts and comments on the brands social account grew about 20%, with an increase in spam of 5%. During May 2013, content grew by approximately 68%, but spam grew to around 60%. Therefore, even though the social media brand was taking appropriate action to increase social media activity and brand awareness, they were not able to control the social media spam seen on their account. Thus, not only did the rate of the social spam increase, the rate of social spam grew faster than the rate of posts and comments, which added to the dilution of brand reputation.
Over a two-month period for the social media account of this sports league, spam grew roughly 35% percent while the number of quality content grew 35%. As the numbers show, the more the brand owning this social media account grows in activity, the more abuse they unleash on their audience, and the more they increase their opportunity cost and decrease marketing ROI.
Spammy Apps
A new breed of spam mechanisms exists on social media networks, which takes the form of downloading an application or app. These apps offer to perform special tasks that a typical social media platform is unable to do, such as determining the number of profile views by other users or changing the color theme of a users social media account. As with other spam types, the app may promise the collection of easy money. Once these apps are installed, malicious software or phishing attacks can proceed to exploit the victim. The names of a few nuisance apps are given below: Timeline Stalkers Profile Peekers Change Your Color FREE Gift Cards Typical content that accompany these apps includes:
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
Using technology, you can detect social spam apps. Nexgate has found, for example, that at least 5% of all apps are spammy, and that 20% of all spammy apps are found on a brand- owned social media account.
Like-Jacking
With Like-Jacking, instead of clicking on links, victims may be tricked into clicking on images that appear as Likes or other buttons that are typically harmless. The victim can either be taken to a website hosted by a spammer described in the previous section, or the liked content can appear at the top of their news feed, unbeknownst to the victim since this activity is not generally advertised back to the user.
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
A similar method is to use pictures that entice the victim to click through, leading to similar effects discussed above.
Additionally, another method that separates social spam from other forms of spam is that profile pictures can entice users to click on them, with links to sites that can either install malicious content or generate more click jacking. Here is an example of comments from YouTube that attempt to attract users to click through:
The user is then tempted to click the link on the profile picture, which leads the victim into the spammers trap.
Social Bots
Social
bots
are
prevalent
among
the
social
media
networks.
Using
computer
scripts,
programmers
can
quickly
create
profiles
that
have
more
influence
than
Oprah
Winfrey
(6).
Social
bots
can
automatically
respond
to
certain
posts.
To
demonstrate
the
existence
of
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
social bots, we look at a recent case that shows the automation of replying via a social media account. The following exchange was observed on Bank of Americas Twitter account in early July 2013. As a user tweeted that he was being chased by police near Bank of America HQ, the twitter account on Bank of America detected this and retweeted,
Although this particular message is benign and intends to be helpful, one could imagine the efficiency of distributing spam messages through a social bot. When a social bot is turned on, it can automatically reply with any of the above spam content discussed in the previous sections. Furthermore, these social bots can be designed to automatically request to become friends or followers when it discovers a new social media user, or they can be used to connect to brand accounts.
Fake Accounts
Fake
accounts
are
social
media
accounts
that
are
created
to
resemble
a
real
account.
On
the
surface,
the
account
may
post
benign
content
and
photos,
and
may
have
friends
or
followers
that
post
similarly
benign
content
and
photos
to
their
account.
However,
this
makes
spam
originating
from
these
fake
accounts
harder
for
the
recipient
to
discern.
If
a
message
such
as
the
following
were
to
originate
from
a
fake
account
designed
to
be
seem
like
a
real
person,
a
social
media
user
might
be
more
inclined
to
believe
it:
Many
fake
accounts
are
sold
on
the
underground
social
media
market.
Such
services
can
be
bought
for
a
small
fee,
and
are
easily
discovered
through
search
engines.
Some
of
these
accounts
may
be
real
accounts
that
are
compromised,
but
are
ultimately
used
for
the
same
purposes.
Using
Nexgates
analytics
tools,
we
were
able
to
determine
some
common
traits
that
fake
accounts
share.
We
collected
a
random
sampling
of
200
fake
accounts
(profiles)
and
200
real
accounts.
Looking
through
the
3
months
before
mid-August
2013,
we
were
able
to
determine
that
activity
from
fake
accounts
is
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
quite different from the activity seen in real accounts. While fake profiles collected posted high volumes of content over a period of several days, real profiles tended to post content evenly per day over the entire 3-month range. Fake Profile Content Real Profile Content We also observed posting behavior that tended to vary greatly between fake accounts and real accounts. In one example (see below), we see that the fake account posted the same content at the same time on their own account and others account.
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
Instead of looking at the rate of growth of spam vs. comments for a particular social media account, we now turn our attention to rate of growth of spam vs. comments for all social media accounts in the Nexgate corpus.
Comments
Spam
As we saw in our case study, the rate of spam is growing faster than the rate of comments. A slight kink towards the bottom left of the red curve suggests that, perhaps for a brief time, social spam was growing slower than comments in general. However, either through a new strategy or becoming smarter than social networks standard detection networks, social spam has grown significantly faster than comments.
Conclusion
Spam
has
been
with
us
for
a
long
time
through
the
evolution
of
email,
the
telephone,
and
now
our
social
media.
Its
no
surprise
that
the
bad
guys
are
targeting
todays
most
population
dense
communication
medium;
however,
until
now,
few
have
truly
investigated
the
methods
of
these
new
age
spammers,
or
developed
technology
to
adequately
address
the
problem
on
behalf
of
the
social
networks
and
the
brands
and
fans
that
enjoy
them.
The
same
expertise
and
research
used
for
this
study
also
powers
the
detection
and
enforcement
engines
of
the
Nexgate
product
suite.
Nexgate
is
the
leading
provider
of
social
media
security
and
compliance
with
automated
detection,
classification,
and
removal
of
spam,
malicious,
and
inappropriate
content
across
all
major
social
media
platforms.
Our
patent-pending
technology
seamlessly
connects
to
social
networks
to
remove
unauthorized
content
and
protect
your
brand
and
followers.
To
learn
more
about
how
Nexgate
can
help
your
brand
automate
social
media
security
and
tackle
the
problem
of
social
media
spam,
visit
nexgate.com.
Nexgate
|
nexgate.com
|
sales@nexgate.com
|
+1
(650)
762-9890
@NXGate
facebook.com/NXGate
linkedin.com/company/NXGate
About
Nexgate
Nexgate
provides
cloud-based
brand
protection
and
compliance
for
enterprise
social
media
accounts.
Its
patent-pending
technology
seamlessly
integrates
with
the
leading
social
media
platforms
and
applications
to
find
and
audit
brand
affiliated
accounts,
control
connected
applications,
detect
and
remediate
compliance
risks,
archive
communications,
and
detect
fraud
and
account
hacking.
Nexgate
is
based
in
San
Francisco,
California,
and
is
used
by
some
of
the
worlds
largest
financial
services,
pharmaceutical,
Internet
security,
manufacturing,
media,
and
retail
organizations
to
discover,
audit
and
protect
their
social
infrastructure.
References
(1) "EdgeRank: The Secret Sauce That Makes Facebook's News Feed Tick". TechCrunch. 2010-04-22. Retrieved 2012-12-08.
(2)
Getting the message, at last". The Economist. 2007-12-14. (3) http://blog_impermium_com.s3.amazonaws.com/wpcontent/uploads/2011/10/Impermium_Halloween_Small2.jpg (4)
http://www.itworld.com/it-managementstrategy/264648/social-spam-taking-over-internet
(5)
http://www.businessweek.com/articles/2012-05-24/likejacking-spammers-hit-social-media
(6)
http://www.nytimes.com/2013/08/11/sunday-review/i-flirt-and-tweet-follow-me-at- socialbot.html?emc=eta1&_r=1&
(7)
http://online.wsj.com/article/SB10001424052970203686204577112942734977800.html?cb=logged 0.9653948666527867&cb=logged0.13351966859772801
(8)
http://www.socialbakers.com
(9)
http://nakedsecurity.sophos.com/2011/02/01/facebook-will-close-all-accounts-today-rogue-app- spreads-virally/