Detecting and Characterizing Social Spam Campaigns
Hongyu Gao
Jun Hu
Christo Wilson
Zhichun Li
Yan Chen
Ben Y. Zhao
Proceedings of The 10th ACM SIGCOMM Internet Measurement Conference (IMC 2010)
[Full Text in PDF Format, 1.6MB]
Paper Abstract
Online social networks (OSNs) are popular collaboration and communication tools for millions of users and their friends. Unfortunately, in the wrong hands, they are also effective tools for executing spam campaigns and spreading malware. Intuitively, a user is more likely to respond to a message from a Facebook friend than from a stranger, thus making social spam a more effective distribution mechanism than traditional email. In fact, existing evidence shows malicious entities are already attempting to compromise OSN account credentials to support these "high-return" spam campaigns.
In this paper, we present an initial study to quantify and characterize
spam campaigns launched using accounts on online social networks. We
study a large anonymized dataset of asynchronous "wall" messages between
Facebook users. We analyze all wall messages received by roughly 3.5
million Facebook users (more than 187 million messages in all), and use
a set of automated techniques to detect and characterize coordinated
spam campaigns. Our system detected roughly 200,000 malicious wall
posts with embedded URLs, originating from more than 57,000 user
accounts. We find that more than 70% of all malicious wall posts
advertise phishing sites. We also study the characteristics of
malicious accounts, and see that more than 97% are compromised
accounts, rather than "fake" accounts created solely for the purpose
of spamming. Finally, we observe that, when adjusted to the local time
of the sender, spamming dominates actual wall post activity in the early
morning hours, when normal users are asleep.