Look Out Pinterest, Here Come The Spammers

An email I received this week offering tools for spamming Pinterest.com (yes, I am on those sorts of mailing lists) brought up once again the topic of spam on social networks. As soon as any social networking site starts to become popular, people start wondering how they can monetize that traffic – and some of them do not feel constrained by law or ethics. In order to maintain user confidence a social network must aggressively use both technical and legal methods to suppress spam. If spammers are not controlled, legitimate users are driven off, and the network never recovers. Usenet News is a good example. With fully distributed storage and management, there was no single point to control spam, and for a while most newsgroups became unusable. Now Usenet content can be accessed spam free through the Google Groups interface, but it is too late, and users have moved to other discussion forums. The eDonkey file sharing network is another example of a distributed network which has been completely taken over by spam files with interesting sounding titles but containing malware or porn. (Of course, the MPAA and RIAA probably consider this no great loss.) It's also pretty much impossible these days to run an unmoderated WordPress blog without being spammed with back links. Even with a central point of control, it is not enough to rely on the legal department to prevent violations of term of service. Any web site that allows users to post content is subject to abuse, and the richer the content that can be posted, the more possibility for abuse there is. Allowing links to be posted encourages back link spam for SEO purposes, as well as links to inappropriate sites. Sites which allow the posting of images hosted elsewhere can be used for click fraud, if the server hosting the image redirects to an affiliate link rather than serving up a JPEG. Allowing the posting of flash animations opens the door to a variety of attacks including click fraud, phishing and malware as well as plain old links or redirects to porn and pharma sites. If you let your users post arbitrary Javascript then pretty much any HTML based attack is possible. Recently we have seen Javascript on Tumblr pages used to turn them into redirectors to disguise the call to action URLs used in email spam. All of these attacks can be defeated. For example, eBay allows the posting of third party images, HTML, and flash animations in eBay listing, but devotes substantial technical resources to scanning and monitoring all postings, so that click fraud, malware and phishing attacks are not a significant problem for eBay shoppers. Repeated scanning is important, as a flash animation hosted elsewhere can be modified days or weeks after a listing has been posted. However, the listing can still be deleted. The ability to retrospectively delete earlier posts once they have been identified as an attack is an advantage that social networks have over most messaging spam prevention, where once a message has been delivered it cannot be recalled. Tools for spamming twitter have around for a while now, and there is also a large and liquid market for fake twitter followers.

  Though Twitter has been effective in reducing spam from high levels in mid 2009, they are still vulnerable to mutating attacks. Until they put some throttle in place on account creation this is likely to continue. Of course, it is hard to tell a loss making pre-IPO company that they need to throttle back on growth, as growth is the most compelling story that they have for their investors. Pinterest is the newcomer on the social networking scene, but rapidly growing. They are now one of the top thirty sites in the US, and have a demographic that is very attractive to marketers, including black hat marketers. Hence the email I received, offering a complete suite of tools for setting up a farm of Pinterest accounts, and using them to spam.

The techniques include tracking popular subjects and adding posts with the subjects but your links, trapping a user so that they cannot follow your link until they have repinned it, using URL shorteners to hide links, and automatically submitting links from the amazon.com affiliate program. The author claims, “In January I thought to give them a try by making up a couple of bots, after the success rates that I was seeing I decided to create a whole package of bots which I have been using non-stop since the day with just a couple of account bans which were caused by excessive spamming & also they even lasted a few days before being shut down!” It's quite possible that the long term growth and survival of Pinterest will depend on how effectively they can respond to the script kiddies who are currently testing their defenses, and to the tier one operators who will follow once the profitability of spamming there has been demonstrated. Will they be another Usenet News or the next big thing?