This weekend spammers continued their expansion into new domains by attacking the social network/microblogging service Twitter. The attack, described in further detail below, was conducted by creating a pool of malicious profiles and following a large number of users, implicitly leading the followed users to view the spam.
Frankly, if I was asked two years ago if spammers would move to social networking more aggressively than another platform like SMS I would have said it was unlikely. I believed that the trust graph provided by social networks would prevent spammers from randomly messaging individuals on the network, which is the main means of propagating spam on email networks. Additionally, if spammers did find a way of randomly messaging individuals on a social network, Twitter would be relatively immune to the attack as messaging requires a bilateral agreement between the parties: both sides have to agree they are friends before they can directly message one another. I believed that spammers would either have to trick individuals into accepting this relationship or they would have to hijack highly connected accounts for them to wage effective attacks.
Spammers instead went after Twitter pretty hard this holiday weekend using the "friend invite" model that was first developed against other social networking services such as MySpace, Facebook, and others. Briefly, the attack involves creating a large number of new accounts, posting spammy updates and profile information, and then inviting people to view the spam by performing a friend request, or in Twitter's case, "following" the spam target. As a result, spammers have implemented an effective means of leading targets to spam without a direct message.
An individual can remediate this attack in the short term by disabling e-mail notifications of people following you. This is by no means an optimal solution, as you would become unaware of when individuals of interest join the community. The only people who can really address the situation is Twitter using techniques that have already been developed for the e-mail anti-spam world, namely a combination of blacklisting, throttling, CAPTCHAs, and content restriction and filtration.
Adam J. O'Donnell is the Director of Emerging Technology at Cloudmark, an anti-messaging abuse company located in San Francisco. His interests include distributed system security, network measurement, and writing random articles. Contact him at firstname.lastname@example.org.