Instagram is the Spammers' Latest Target

Facebook's billion dollar acquisition of Instagram attracted a lot of attention, and a few raised eyebrows, but it seems to be paying off. A recent study shows that mobile users spend more time with Instagram than they do with Twitter. Of course, as soon as a social network becomes popular, the spammers move in, so it is no surprise to see a set of tools for spamming Instagram turn up for sale in the digital underworld.

The tool spoofs being a genuine mobile user, so that it is not throttled by the limits in the Instagram API. It allows a spammer to manage thousands of dummy accounts, friending and following genuine users in the hope they will reciprocate. The spammer then looks for popular images, and uses the took kit to watermark them with the URL of the web site they are trying to drive traffic to, and post them to the dummy accounts.

A call to action URL which only appears in an image will get less response from the victims than one that is clickable, but on the other hand it is impossible to detect using text based filters. It's been part of the email spammers arsenal for a long time. Of course, Cloudmark uses a wide range of spam filtering techniques, and image spam does not present any particular difficulties for us.

Chatter on hacker forums suggests that Instagram users are not yet used to seeing spam: "Great Traffic Source. The audience is completely naive to marketing efforts." "And mostly love instagram people cause they fall for everything you say on your pics!!" Though one spammer complains, "Sent 873 visitors to my iPhone 5 for free landing page yesterday and only 11 submitted." Is the public finally getting wise to the free iPad/iPhone scam?

Another spammer is starting to worry about the legality of spamming social networks: "Btw is this stuff illegal, and could I get in trouble by doing this? Even though I'm using keywords like ;could' win an iphone 5. You have a 'chance', and stuff like that?"

While I'm not a lawyer, here's a brief guide to the legality of spam in the USA for the script kiddies and others who may be interested. Email spam is a criminal offense under the CAN-SPAM Act of 2003, and can result in fines and imprisonment, as well as the possibility of civil actions from ISPs. Individual spam victims, however, are prohibited from class action law suits against spammers. Text message spam is governed by the Telephone Consumer Protection Act of 1991. This does allow individual recipients of spam text messages to bring a class action law suit against the spammer, and courts have awarded $100 to $200 to each recipient.

Social network spam is a newer phenomenon, and does not yet have any specific legislation governing it, but it is a violation of the End User License Agreement of the social network, which can result in a civil law suit. Depending on the circumstances and techniques used, it may also be a violation of CAN-SPAM and/or the Computer Fraud and Abuse Act of 1986 which carry criminal as well as civil penalties. Of course, any false claim made over a computer network in order to obtain money, goods or services from someone is wire fraud, which has been a federal crime since 1872.

Facebook has a legal department which has been both aggressive and successful in bringing actions against spammers. They obtained the largest judgement ever under the CAN-SPAM act - $873 million dollars.

So, the simple answer to the script kiddie quoted above is: yes, you can get in trouble for doing this.