December 1, 2015 - Ting Fang Yen

Cyber Attackers Turn Location-Based Services Against You with Spam Account Profiles

spam account?
Image source: Facebook

Social spam is not new. We’ve all experienced our share of unsolicited comments, stranger friend requests, phishing links, fake reviews, and click-baiting. But as online services introduce new features to make connecting and sharing content easier than ever, social spam is rapidly taking on new shapes and forms from spam account profiles.

Different from traditional email spam, social spam can reach a large audience by nature of the platform and can appear “trustworthy” since it is coming from people in your social network. This kind of spam also has a long lifespan since social media content stays online 24/7 and is rarely removed, if ever.

More than a mere annoyance factor, such attacks severely degrade brand name reputation and platform integrity, hindering user growth and even driving away existing users. This causes a stagnant user base and loss in ad revenue, which is what ultimately hits home for social media companies grappling with spam account profiles.

Spam coming to a profile “near” you

We recently observed malicious activities on a large social application that illustrate the ever-changing landscape of spam. Today, spam is commonly detected by content-based solutions which analyze messages, e.g., by looking at the word frequency, the validity of the message format, or the presence of known malicious text. To evade this, the attackers chose not to post or send messages through traditional communication channels, thus these security solutions have no “content” to analyze. Instead, spammy text was placed within the profile description of fake accounts. This hijacking of an app feature (that was not meant for messaging) for spam account effectively allows attackers to evade vantage points used by existing security solutions.

example spam account
An example of profile spam (Image source: Hyphenet Blog)

More ingenious is how the attackers exploited the location-proximity feature available on mobile apps to distribute spam. While such features enable users to find, view, and interact with others that are nearby, they also allow normal users that are “close” to the fake accounts to be spammed with the profile text. This is exactly what the attackers wanted. Using GPS faker tools, they set the fake accounts’ profile locations to span across tens of major cities to reach a large population of users.

The screenshot below shows an example of such a tool, Mock GPS. Users can drag anywhere in the map and select “Set Location.” Other apps on the device that subsequently attempt to read the device’s GPS location will be given the specified value.

emulating for spam account profiles
A screenshot from a GPS faker app, Mock GPS, running inside the BlueStacks Android emulator.

In addition to embedding malicious text in profile descriptions and manipulating GPS locations to distribute spam, this attack also exhibited an extended incubation period, making detection even more difficult.

As shown in the timeline below, attackers spent several weeks preparing the spam account profiles, including registering fake accounts and editing their profile information in small doses. These “sleeper cell” accounts can circumvent detection for months or years, appearing perfectly benign until right up to attack launch — in this case, spamming “nearby” users. At that point, the damage is already done.

incubating spam account profiles
The timeline of a spam attack with an extended incubation period. The attackers embedded spam messages in profile descriptions, and used GPS faker apps to set the fake accounts’ locations to arbitrary cities.

A problem with costly consequences

Social spam is not new [1]. Neither is profile spam [2]. However, this example illustrates how cyber attackers are constantly devising new techniques to evade detection, just as online services are adopting new disruptive features to attract more users.

This is a costly problem that desperately needs advanced, predictive security solutions that can detect these hidden accounts masquerading as legitimate users. With evolving attack techniques that are becoming increasingly sophisticated, traditional reactive security solutions are forced to play an endless game of “whack-a-mole” to try to stop them. It’s faking GPS this time, what’s next?

References

[1] “Spam 2.0: Fake user accounts and spam profiles.” Google Webmaster Central Blog Jun 2009.http://googlewebmastercentral.blogspot.com/2009/06/spam20-fake-user-accounts-and-spam.html

about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.
about Ting Fang Yen
Ting-Fang Yen is Director of Research at DataVisor. Ting-Fang specializes in network and information security data analysis and fraud detection in the financial, social, and e-commerce industries. She holds a Ph.D. in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.