[Note: this article written by Katie Cincotta was originally published by the Sydney Morning Herald]
THE daily sticky-nose into your friends’ activities on Facebook, your circle of witty tweeters or the latest retro snaps on Instagram are being hijacked by hackers and haters.
You would think most of us would be less gullible by now, but according to a 2010-2011 survey by the Australian Bureau of Statistics, of 6.4 million people who received an online scam in the 12 months before the survey, 514,500 of us fell for it, up from 329,000 in 2007.
It’s the time when your defences might be down – seemingly in a safety net of people you know.
So the promise of a free iPad, a photo of a celebrity caught unawares or a provocative post your friend might have ”liked” might not seem an obvious trap.
But what those infected links do is execute malicious code in the web browser and unknowingly spread a spam attack from your profile page.
AVG security adviser Michael McKinnon says ubiquitous social networking, and the pace at which we click on links, is giving hackers an open gateway.
How we often fall victim is through ”social engineering” tactics, which trick us into thinking the content has come from a friend, with spammers often using personal details made public on our profiles.
”In Facebook, one of your friends may have been tricked into sharing something, with click-jacking or malware on a website,” McKinnon says. ”You could then share infected content across Facebook without even realising it.”
He says hacks on Twitter usually happen around popular hashtags. ”Twitter is quite anonymous and has a very low friction point,” he says. ”It’s very easy for scammers to create brand new Twitter accounts and flood them with new tweets. It usually takes 24 to 48 hours before they get suspended, which gives them a small window of time.”
Social networks are trying hard to close the loopholes. Facebook has an entire security team that operates from a room with the word ”scalps” stencilled on the back wall, surrounded by photos of spammers being served notices of lawsuits.
Facebook tells Livewire that as part of its efforts against spam it has built an extensive malicious URL blacklist system.
To process the millions of violation reports Facebook receives each day, it contracts third parties through job sites such as oDesk, paying predominantly third-world moderators as little as $1 an hour to sift through its dirty laundry.
The company claims it escalates the most serious reports internally, and says all decisions made by its spam-filter contractors are still subject to audits.
IT lawyer Kay Lam-MacLeod says that with the Advertising Standards Bureau and the ACCC recently indicating they regard the Facebook page of a company to be part of its advertising strategy, companies are now responsible for policing abusive or misleading user comments.
Facebook provides page administrators with tools to monitor content, including blacklists that identify specific words, but administrators are limited in their response to offensive content – they either delete comments or block people who continue to post inappropriate messages. But Lam-MacLeod says those controls aren’t enough, citing the recent Queensland Police Service case in which a post about the arrest of Gerard Baden-Clay, accused of the murder of his wife, incited a torrent of abusive comments, despite the police not publishing his name. ”They [QPS] were deleting them but it was a big job as the crowd was out there with a pitchfork,” she says.
Lam-MacLeod says it would be helpful if Facebook allowed you to quarantine comments that can be read prior to publishing, but that policing resources might not be possible for all businesses.
On photo community Instagram, spam accounts with ”get more followers” in their name are starting to infiltrate the network. They’re easy to spot as they have no photos of their profile page, and the promise of links that will give you ”25,000 followers”.
The ellipsis button on each photo lets you report inappropriate photos, with a flagging function on the top right arrow of each profile.
But who’s got the time and energy to report the dozens of scam profiles cropping up each day?
McKinnon reckons stopping spam and abuse is everyone’s responsibility, not just the duty of the social networks and security companies.
”Twitter and Facebook have some degree of automation, and most social media sites have very good ways of stopping spam, but it comes back to a collective response from us all.”