Facebook under attack: The spam and phishing threat

The popular social-networking site Facebook is coming under increased attack by spammers and phishers, the company's security chief has revealed.

Speaking at the Infosecurity Europe conference in London, Max Kelly said the attacks have become serious over the past few months. He said: "January was the month we became noticed by threatening elements. These are the same threats as any other large network would experience."

Latest photo stories from silicon.com

1. Photos: Australian broadband goes for a deep-sea dive

2. Photos: Talons, Eagles and Enforcers - the tech behind war

3. Photos: Introducing - the world's lightest mobile phone

4. Photos: Smart posters and the 'seeing eye phone'

5. Photos: The Colossus WWII codebreaking machine

Kelly explained the hack attacks included non-specific threats, such as edge-of-network penetration attempts and application flaw exploits, and more specific threats such as phishing attacks against users, in the form of forged emails purporting to come from Facebook.

Kelly said: "We are definitely a target for spammers. Data harvesting has become an issue for us," adding that such harvesting attempts were generally unsuccessful but "that doesn't keep people from trying".

Kelly also said Facebook had come under attempted cross-site scripting (CSS) and SQL injection attacks, but that the security layer in Facebook's system was successful in intervening and notifying Kelly's security team of such attempts.

Kelly detailed a case, recently pursued by his team, where an unknown subject was identified by the system as "using features in an automated fashion" - in this case, the subject was trying to scrape users' email addresses from the system. This was identified as being the prelude to a spam or phishing attack and the attack was traced to a Seattle hosting service.

Facebook brought a lawsuit against the hosting service, which was subpoenaed. It appeared the hosting service was being paid from shell companies in Canada and Cyprus, so Facebook sent investigators to those countries to track down the alleged spammers. Kelly said: "We took action against the individuals and the companies and obtained an injunction against their use of Facebook." He also claimed Facebook had been awarded a $500,000 judgment in the case.

Speaking to silicon.com sister site ZDNet.co.uk after his speech, Kelly said he did not have specific data to describe the increase in attacks, but maintained such attacks were "definitely escalating". He added: "We're doing a lot more investigations - we're building up our team."

Asked about a privacy and security flaw that had been identified in Facebook's mobile variant last year - in which the user's contacts had their email addresses listed, regardless of whether those contacts had opted into revealing such details - Kelly claimed the scope for harvesting such details was "quite limited" because of the relatively small extent of each user's personal network. Anyone attempting to harvest such data "would have to go through a number of steps to get any data at all", he added, suggesting it would not be worth a spammer's while to try harvesting email addresses in this way.

Original article: Facebook admits to increased attacks by spammers from ZDNet UK