Are Facebook Friends for Real ?

Fake Facebook accounts attracts more friends than Real ones

One of the most common criticisms of social media - among those who don't actually use Facebook or Twitter - is to doubt whether virtual friendships are real, I've been actively involved in online communities for 10 years, as both participant and builder, and I know that online relationships can be just as tangible as those involving physical contact.

But here's where things start to get fuzzy, because Facebook informs me that I have 287 friends, while on Twitter that balloons to 2241, if you count followers as friends. I don't, because people may follow my posts on Twitter without any prompting from me, and without my having to confirm that I know them in any way at all. But what about Facebook? I have confirmed online friendships with almost 300 people, all of whom I've either met in person or else know through online activities of one kind or another.

So why have I bothered to bring this up now? Well, because the bad guys are increasingly exploiting the implied trust that a Facebook friendship confers to perpetrate scams, phishing attempts, social-engineering traps, and to distribute malicious links and software. The importance of Facebook security is increasingly moving beyond the domestic and into the commercial arena, as more and more businesses are adopting workplace social media strategies, PeoplePerHour.com's 2012 small-business survey researched 1300 small businesses and found that 91% were using social networks for business, up from only 60% the previous year.

Quite often fake friendship works in exactly the opposite way to what you'd expect. The Facebook account of someone who's already your friend might get compromised, with bad guys using that account to recommend malicious links or worm information out of you, but that isn't how all of them operate. A recent survey conducted by Barracuda Networks uncovered a more insidious way to exploit Facebook: the fake friendship scam. The survey examined 2844 Facebook accounts, and discovered that fake ones, established solely for the purpose of ripping you off, have on average six times as many "friends" connected to them as real accounts do! This random sampling of active accounts provided an insight into the way many people choose their virtual friends, and it's rather alarming.

For example, only 40% of real account profiles identified themselves as being female, but that rises to 97% for fake accounts. To appeal to the widest range of potential victims, 58% of the fake profiles declared their sexual interest to be in both men and women, compared to only 6% of real accounts that declared themselves bisexual. Presenting yourself as more highly educated is another scammer's strategy, with 68% of the fakes claiming to have attended college or university, whereas only 40% of real people did the same.

Certainly they work on the principle that an assumption of mutual friendships will lead to sufficient trust or curiosity, to accept friendship requests from a complete stranger. That would explain why the fake account holders are more likely to use photo tags than real people do, to the extent that an average real account uses one such tag for every four photos, but fake users will tag 136 times for the same four photos. Just because someone is tagged as "user A" in a group photo featuring a colleague, friend or family member, doesn't mean they are who they say they are. nor that they're actually known to your acquaintance. But these tactics work because the numbers can't lie - real profiles had an average of 130 friends per account, while the fake ones averaged out at 726 each.

But why worry about it? Well, it's that trust thing again. These short-lived fake Facebook accounts will be the ones that immediately start distributing malicious links to anyone who connects with them, but the really clever money is on a more stealthy and long-term scam that creates "fake friendship syndrome" victims. Although the evidence suggests that 43% of these scammers never update their status, compared to only 6% of real users, that doesn't mean the accounts and their friendships aren't being put to use. Most likely the scammers are quietly collecting valuable personal information divulged by their linked friends, information that could be exploited later on as part of a phishing attempt, ID theft or account hijack. Those Facebook users who are most aware of privacy issues, and who restrict visibility of their postings to friends only, are precisely the users most likely to give away valuable persona] information under such circumstances, because they'll wrongly believe their data is only being shared among a limited circle of real friends.

By the very nature of social networks, it's almost impossible to guarantee people won't receive rogue friendship requests that purport to come from friends of friends. However, there are tools that can help you determine whether such requests are genuine - the Barracuda authors have one such tool I've recommended before. Profile Protector (http:// profileprotector.com), which employs a feature-based heuristic engine to try to distinguish fakes from friends. It applies a bunch of machine-learning techniques to analyze shared URLs and profile contents, as well as connections within social networks, to reveal weak and strong associations between accounts. No such tool could ever be 100% idiot-proof but it beats leaving things to chance.

Dealing With Spam Surrogates

Two readers were in touch recently with the same query about the annoying problem of surrogate spam. George J told me that his email address was being "used by person or persons unknown as the return address for spam", while Mike M asked for advice after he "suddenly started receiving hundreds of failure notices a day from Mailer-Daemon@yahoo.com, which seem to refer to emails with porn or other attachments purportedly sent from one of my email addresses".

That, in a nutshell, is what I mean by surrogate spam - a spammer spoofs your email address by completing the "From:" field of a sent email by inserting a random address. I say random, but your address could just as easily have been lifted from a forum or blog post, generated by automated spamming software, or plucked out of a hat and made up on the spot. However it happens, being on the receiving end is no fun, as I can tell you from personal experience. The end result is always the same, as George and Mike have discovered - hundreds of failure or bounce messages in your inbox every single day, with the odd rant or offensive message too.

Spammers continue either to buy lists of genuine email addresses, or else employ automated software that creates likely email addresses from core name lists and sends them to popular mail service domains. In either case, a percentage of the addresses being mailed will not exist: spam mail lists get old very quickly, while automatically generated ones are hit and miss as to whether they ever existed. When a message arrives at a mail server addressed to an account that doesn't exist, then depending on how that server is configured, a failure message will be sent back, and ifs these bounce messages George and Mike had been experiencing, threatening to flood their inboxes and make their email very difficult to use.

George contacted his ISP, which confirmed that his account hadn't been hacked. The ISP also suggested he scan his system for malware. I'd say that George did the right thing by contacting his ISP, as even if it was unable to stop the flood, it's good to keep the ISP in the loop if you suspect foul play. Once informed, it's aware that the increase in mail traffic isn't your fault and can field any complaints that arrive as a result.

This is an important point, because, although sadly the only practical advice is to wait for the flood to stop, in the meantime you and your business could be suffering time lost dealing with the situation and damage to your reputation. Contacting your ISP will help mitigate the abuse allegations, and setting up filtering to redirect bounce messages away from your inbox should reduce the time penalty, too. Your ISP or mail provider will almost certainly be able to advise you, either by setting up such a filter for you or giving you instructions on how to do it for yourself in whatever mail client you use.

That only leaves reputation to deal with, which can be much harder to repair. For an individual it isn't really a big thing, but for a business it could be very damaging. So how can you reduce the damage? This is a bit of a piece-of-string-length question to which I can't give you a one-size-fits-all answer, but there are several steps you can take.

In fact, you should have already taken one. which is to filter out machine-generated bounce messages. This is important, as the filter thereby exposes the residue of human-generated complaints, and you should reply to these using a templated response. Refer to your mail client or provider on how to set one up. It should apologize for any inconvenience, and explain that you're also a victim and are being inconvenienced by the actions of an unknown third party. This may feel over the top, but if you're a business, think in terms of how you'd respond to a normal customer service complaint and it starts to make more sense (I'm not suggesting that you respond to your customers using an automated template).

Another option you have as a business owner is, depending upon the importance to your business of the address being spoofed, to change the targeted address for a new one. Over the years, this has never become necessary for any of my clients who have suffered from spam surrogacy, and the combination of bounce filtering and polite apologies has always been enough to stem the tide until the flood turns to a trickle and then dries up completely. George tells me that his problem peaked with 365 bounce messages during one 12-hour period, most likely when the spam list was initially distributed using a botnet-for-rent service. After a week or two it stopped, which is typical for such collateral spam damage.