Facebook admits to increased attacks by spammers

The social-networking site has come under increased attack by spammers and phishers this year, according to its head of security

The popular social-networking site Facebook is coming under increased attack by spammers and phishers, the company's security chief has revealed.

Speaking at the Infosecurity Europe conference in London, Max Kelly said the attacks become serious over the past few months. "January was the month we became noticed by threatening elements," he said. "These are the same threats as any other large network would experience."

Kelly explained the hack attacks included non-specific threats, such as edge-of-network penetration attempts and application flaw exploits, and more specific threats such as phishing attacks against users, in the form of forged emails purporting to come from Facebook.

"We are definitely a target for spammers. Data harvesting has become an issue for us," said Kelly, adding that such harvesting attempts were generally unsuccessful but "that doesn't keep people from trying".

Kelly also said Facebook had come under attempted cross-site scripting (CSS) and SQL injection attacks, but that the security layer in Facebook's system was successful in intervening and notifying Kelly's security team of such attempts.

Kelly detailed a case, recently pursued by his team, where an unknown subject was identified by the system as "using features in an automated fashion" — in this case, the subject was trying to scrape users' email addresses from the system. This was identified as being the prelude to a spam or phishing attack, and the attack was traced to a Seattle hosting service.

Facebook brought a lawsuit against the hosting service, which was subpoenaed. It appeared that the hosting service was being paid from shell companies in Canada and Cyprus, so Facebook sent investigators to those countries to track down the alleged spammers. "We took action against the individuals and the companies, and obtained an injunction against their use of Facebook," Kelly said. He also claimed Facebook had been awarded a $500,000 (£250,000) judgment in the case.

Speaking to ZDNet.co.uk after his speech, Kelly said he did not have specific data to describe the increase in attacks, but maintained such attacks were "definitely escalating". He added: "We're doing a lot more investigations — we're building up our team."

Asked about a privacy and security flaw that had been identified in Facebook's mobile variant last year — in which the user's contacts had their email addresses listed, regardless of whether those contacts had opted into revealing such details — Kelly claimed the scope for harvesting such details was "quite limited" because of the relatively small extent of each user's personal network. Anyone attempting to harvest such data "would have to go through a number of steps to get any data at all", he added, suggesting that it would not be worth a spammer's while to try harvesting email addresses in this way.