New Digital Spam: How Bad Guys Try to Trick You; How to Avoid the Traps
By Christina DesMarais
Like Whack-a-Mole, new forms of digital spam pop up faster than security software can knock them down–and the problem is just getting worse. In fact, according to search engine newcomer Blekko, 1 million new spam pages are created every hour.
At the outset, let me offer my defininition of spam: any kind of unwanted communication delivered by any unknown source. That’s a broader description than many people would make; but much of what’s happening online is not only annoying and a waste of time, but also sometimes injurious and costly.
Here are some of the latest forms of digital spam, together with some steps you can take to avoid them.
Fake News Sites
I recently wrote a story that resonated with readers. As I read through and responded to some of their comments, I saw this one:
“my roomates [sic] aunt makes $83/hr on the laptop. She has been without work for 8 months but last month her pay was $8682 just working on the laptop for a few hours. Read more on this site [URL].”
Really? All that money for just a few hours of work?
Sadly, some people actually fall for this spammy scam, click the link, and end up on a fake news site, which lures them to another page. There, if they hand over their name, phone number, and email address, they can gain access to the spammer’s “incredible work-at-home opportunity.” But you should never offer your personal information to any source you’re not absolutely sure can be trusted, because hackers can use it to do all sorts of nefarious things.
The fake news sites, which have titles such as “News 6 News Alerts,” falsely indicate that the reports they display have been “seen” on major media outlets, such as CNN, USA Today, and Consumer Reports; in reality the reports are merely ads meant to entice people to buy things.
The FTC recently shut down several groups peddling acai berry weight-loss and colon cleanse products, and informed the public that the reporters or commentators pictured on the sites were fictitious and had not conducted the tests or experienced the results described in the reports. Even the comments posted following the reports were additional advertising content, not independent statements from ordinary people.
Advice: One way that sneaky sellers hook consumers is by offering them free product trials. Remember the old adage, “There’s no such thing as a free lunch.” That goes for free trials as well. Most often the fine print about these deals goes unnoticed or unread, increasing the likelihood that the hapless consumers’ credit card will get billed or they’ll be stuck with a long-term contract if they don’t unsubscribe by a certain date.
Clickjacking or Likejacking
Sometimes on Facebook you may see your friends “liking” items that seem questionable–say, your skinny 12-year-old niece touting a diet that helped her lose 10 pounds in two weeks.
The likely explanation is that your niece was the victim of clickjacking (aka likejacking). The scam works like this: Your niece sees that one of her friends has posted a link to the best Justin Bieber video ever. She clicks it–but before she can view the video, she is asked to complete an online survey and share personal information. Or she is taken to an ad to sign up for some kind of service or product.
Code embedded in links she uses then spreads the link to her own Facebook page, making it seem as though she “liked” it. This is all done with the aim of attracting clicks from her friends on the same material.
It’s a big problem. Facebook recently filed two separate lawsuits in federal courts in California and Washington state against Delaware-based Adscend Media LLC, a company that officials allege is some of this type of spamming.
Advice: If you’ve been hit by a scam like this one, remove the messages and the likes from your Facebook page and warn your friends not to click the offending links. Also, keep in mind that clickjacking can happen anywhere on the Web. If a link sounds enticingly shocking or salacious, or contains an offer that seems too good to be true, don’t click it.
Facebook Subscribe Feature
Similar to Twitter’s “follow” button, the Facebook Subscribe feature allows anyone to read someone else’s public posts even if the two people are not friends. Some people are finding the function to be a haven for spam.
The button is meant to create a viral effect by notifying your friends when you subscribe to a person’s profile, and it works. Many public figures have opened up their profiles for subscribers to see, including The Travel Channel’s Nisha Chittal, who amassed 80,000 subscribers in just six months, compared to the 5000 followers she has on Twitter.
Little did she realize the kinds and amounts of unwanted messages she would get because of Subscribe.
Chittal hoped to connect with a community that shared her passions for travel and social media. Instead, she received sexually explicit messages, pornographic photos, and spam from thousands of users around the world. The New York Daily News reported that she said she was getting messages from random men every few minutes and that “For every one or two legitimate comments, I would get 20 from creepy men who would say weird or strange or sexual things.” Bloomberg producer Anne Torres had a similar experience. Both women have since locked down their profiles so strangers can no longer send them messages.
Advice: Consider yourself warned. If you don’t want this type of unwelcome oversharing to happen to you, don’t let strangers see your posts.
Next: Bad uses of Google+ and Twitter; also Sockpuppets
I like to use Google+ because many of the posts I see there are more relevant to me than the ones I get on Facebook, which can be clogged up with people I haven’t spoken to in 20 years posting every 5 minutes about what they just ate for lunch.
I like to put people in Google+ Circles if they have me in one of theirs, as long as they’ve invested a few minutes in creating an actual profile, complete with a photograph and some information about their interests and what they do for a living.
A few times I’ve accidentally put someone with an empty page into a circle and then gotten messages from them asking me if I want to chat (I do not). And because most of my posts on Google+ are public, I occasionally get a visit from some flamethrower bent on trying to drag me down into his pit of misery. While I certainly welcome thoughtful, courteous, and constructive feedback, I consider insulting, disrespectful, and scurrilous remarks from strangers to be forms of spam.
I’m not alone. Tech pundit MG Siegler recently caused quite a stir when he shut off all comments to his popular blog, saying that 99 percent of the comments were bile. And BGR.com recently said that ITworld soon would do the same. “I’m tired of reading nonsense and of interacting with people that solely troll this site just to get a rise out of other commenters and start a holy war in the comments section,” wrote Jonathan S. Geller, BGR’s editor-in-chief.
Advice: Be careful about who you include in your Google+ circles.
Twitter is rife with spam, predominantly in connection with phishing scams. You get a direct message something along these lines: “I saw a real bad blog about you. You seen this? [URL].” If you click on the URL, it takes you to what appears to be a Twitter sign-on page. This is where a bad guy hopes you will give him your password. If you do, the scammer accesses your account and spams all of your followers with direct messages in hopes of getting their passwords as well.
If you use Twitter, be very suspicious of direct messages that ask you to click a link–or any link that promises something too good to be true, such as thousands of new followers overnight.
In addition to seeking your passwords, bad guys are interested in getting your mobile phone number and other bits of personal information. Hackers who obtain this data can sell it to various buyers, including identity thieves, organized crime rings, spammers, and botnet operators–all of whom will try to use the data to make even more money.
Advice: Anytime you’re directed to a sign-in page, look at the address bar closely. Twitter’s address should look like this: https://twitter.com/. If even one letter is off, you are not at the real site. And if you accidentally fall for this ploy, change your Twitter password right away (and change your password on any other site where you use the same password). Also scan your computer with up-to-date antivirus software to see whether the fake site infected it with malware.
A sockpuppet is an online identity for someone who doesn’t exist. Fake identities of this type have been around for a while, and marketers use them to promote products or sabotage competitors via comments that they make in these fake people’s names online.
A leaked email message last year indicated that computer security firm HBGary might be working on creating an army of sockpuppets under the control of just a few people, who would use sophisticated software to automate posts on social media sites, blogs, and forums.
One concern (among many) is that these sockpuppets might create the illusion of consensus on issues that are actually controversial. The illusion of consensus can be a powerful persuader and might turn public opinion on important issues despite being imaginary.
Advice: I’m not sure what can be done about this; but it’s important to be aware that, just because someone has a robust online presence and just tweeted a hashtag about the conference he’s attending, that doesn’t mean the person is real.
Content farms are huge news sites that use headlines, keywords, and other tricks to lure people to their online territory, where they get paid by advertisers–either for page-view numbers or for ad clicks by page visitors. Visitors to these sites are usually disappointed, however, because the writing they find tends to be poor and generally neither useful nor informative.
Google became fed up with how successfully these content farms were gaming search results. As a result, about a year ago, the search giant significantly altered its ranking algorithm in a way that affected about 12 percent of all queries. The move effectively undercut the rankings of content from low-quality sites and strengthened the rankings of content from sites that produce original material distilled from research, along with in-depth reports and thoughtful analysis.
Since then, many companies affected by the change have changed their ways. For example, Yahoo cleaned up Associated Content, a massive content-farm site that it acquired in 2010, by deleting more than 75,000 articles, moving stories that it deemed worthy of keeping to Yahoo’s domain, and renaming the site Yahoo Voices. Yahoo also has said that it will offer its writers an online training course to help them create higher-quality content.
Advice: If you still find low-quality news reporting to be a problem, consider obtaining your news from a mobile device and installing an app such as Google Currents, which delivers only news from highly reputable publications, including PCWorld.com.
Next: Evil QR codes, junk apps, and more
Another sneaky new tactic to beware of involves QR codes embedded in email messages. Quick Response codes are two-dimensional pixelated barcodes that smartphone users can scan using their phone’s camera coupled with a reader app.
When you scan a QR code, you never know where it will take you. You could end up on a site offering any number of things: useful information and reviews for a product that you’re thinking of buying; a coupon or discount; lame company information you don’t care about; or (as happened in a recent spam campaign) a landing page that sells pharmaceuticals or one that infects phones with malware.
Security researchers say that the lack of clarity about the purpose of the URL could lead to QR codes’ becoming the next trouble spot in mobile malware propagation.
Advice: To get around the hiding of the URL, be sure to use a reader app that shows you the address of the link before you go there. I recommend Google Goggles, which works great in iOS and Android. Opening the app activates your camera. If you hold your phone in front of a QR code, Goggles automatically will read it, spend a second or two analyzing it, and then show you the link that the code points to.
From there, you can either go forward to the site, or do nothing. Goggles is fun to play around with, too: You can take pictures of things in the world; and if Google recognizes them, it will send you more information. If the link goes to a website that you don’t know or may not trust, however, don’t go there. In general, scanning a QR code at Arby’s or from a product information tag at Best Buy won’t do any damage. But no matter how inquisitive you are, never scan one that’s located somewhere random, such as on a wall near a bar, and lacks any type of explanation.
You need to be careful about the apps you download to your phone. Junk apps include programs that falsely claim to be something they’re not, copy the appearance of popular apps while being pretty much worthless, or promise to have cheats for popular games. Though lots of free apps look interesting, some of them have little functionality unless you ante up for the in-app upgrade. In sum, the entire free app acts as an ad for the paid version.
And though Apple screens apps before permitting them inside its walled garden, bad ones do sometimes get through. An app claiming to be the 4.0 version of the Camera+ app gained access to Apple’s App Store; last month, it was busted as a fake. The real Camera+, created by developer Tap Tap Tap, sells for the same price, but it’s only at version 2.4.
Advice: Try to be discerning about the applications you install on your computing devices, even if they come from the Apple App Store. Malicious code has snuck in on occasion, too. Since disgruntled mobile users are usually quick to give negative feedback on apps, I’d recommend that you never download anything that has a one- or two-star rating.
Push Notification Ads
Thousands of Android apps shove marketing icons onto your phone’s start screen or push advertising into your notification bar, often without warning. By bundling their adware into popular Android programs, marketing companies may push ads to millions of new smartphones each week.
Most Android users hate the swarm of marketing on their touchscreens, though they may not have a clue why the ads are showing up on their phones. Unfortunately, getting rid of the adware after your phone is invaded can be difficult, since you probably won’t know which app snuck it onto your handset.
Advice: Sometimes you can opt out of receiving the ads, but the mechanism for doing so may not be there or may be hard to find. If you can figure out which marketing firm is pushing you ads, try visiting its website. Sometimes the company gives consumers a way to opt out of receiving ads from them.
I have a friend who says that there’s a special place in hell reserved for websites that launch music when you land on them.
While I wouldn’t go that far, commercial websites that automatically start playing music, noisy ads, or some type of sound when you visit them are annoying. Either you’re at work and it’s inappropriate, or you’re listening to music and don’t need a sound war to break out. Since I like to work in complete silence, I find these loud interruptions especially jarring.
Advice: To get around noise pollution while browsing, keep your volume muted. And while you’re at it, why not leave feedback at the site indicating how much its audible spam bothers you?
Not Going Away Anytime Soon
The problem of spam is not likely to disappear. But by being vigilant about where you stray online and about what information you give to others, you can at least avoid inadvertantly contributing to the ugliness yourself.
What spam bugs you the most? Let us know in the comments below.