Evolution of the Password Exploring Emerging Authentication and Verification Techniques TELESIGN WHITE PAPER

Prevent Social Spam and FraudFrom Sabotaging Your BrandSpecial ReportDECEMBER 2012

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 2

...........................................................................................................................................Introduction 3

........................................................................Different Types and Sources of Social Spam 4

..................................................................................................................................What’s at Stake? 7

...............................................Existing Approaches to Defending Against Social Spam 8

...........................................................................................................................Summary of Tactics 11

.................................................................Shut the Front & Back Doors and Clean House 13

............................................................................................................ Shut the Front Door 14

............................................................................................................................ Clean House 15

........................................................................................................... Close the Back Door 16

.............................................................................................................................................Conclusion 18

......................................................................................................About TeleSign & Impermium 19

...........................................................................................................................................References 20

Table of Contents

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 3

Introduction

The rise of social media hasIled

to the proliferation ofIsocial

spam. Cybercriminals are

scamming users of social

networks, online directories, and

online dating sites, which

devalues the reputation of these

sites and exposes them to new

risks in the process. Social spam

has become so pervasive that, to

combat the issue, social

network administrators are

increasing security staff to

protect their users and preserve

their brand identification.

The rise of social media has led

to the proliferation of social

spam.QCybercriminals are

attackingQsocial networks, web

applications, and media sites,

causing untold harm to the sites and

users in the form of lost revenue,

maintenance costs, user attrition, and

brand reputation damage. In

response, network administrators

have devoted considerable resources

—with decidedly mixed results—to

regain control of their sites from

these attackers.

The number of cyber attacks on

social networks, online directories

and Web 2.0 sites has risen

dramatically in the last few years.

As users have flocked to social

networks, spammers have turned it

into the next battleground, enjoying

success because of lower security

hurdles and the relative ease of

impersonating friends. People trust

spam more when it comes from a

"friend," and thus end up following

links and being victimized more often

compared to email spam.

Many sites are often poorly equipped

to deal with the influx of social spam,

and without clear best practices,

may experience difficulty choosing

between mitigation options. This

special report explores the different

types of social spam, reviews the

current methods used to identify and

stop social spam, and proposes a

new paradigm for social networks to

predict and block malicious behavior.

Sites need to adopt a new, two-fold

approach to combatting social spam.

First, they need to ensure that only

legitimate users gain access to a

social network. Second, social

networks need to use automated

tools to flag and remove malicious

and offensive content in real time.

In sites across the web, this dual-

pronged approach has proven

effective at preventing criminals and

hackers from crippling brands and

damaging their relationship with

customers, advertisers, and partners.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 4

Understanding the types of social

spam is essential to designing

effective countermeasures. Let’s start

with a quick primer of the different

types of social spam being promoted

within the leading social network

sites today:

Account hijacking: Spammers often

disguise themselves by hijacking

normal users’ accounts for their

personal gain. Cyber miscreants steal

login information from existing social

media users via fraudulent phishing

websites or by installing keystroke-

logging malware. This is why social

media users need to be on the

lookout for suspicious messages from

friends that include dangerous links

or promote dubious offers. Different

from the spammers in traditional

systems, such as SMS

and email, social media spammers

behave like normal social network

users and continuously evolve their

spamming strategies to fool anti-

spam detection systems.

Registration fraud: Bots and

“mechanical turks” are registering

fake accounts by the millions.

Attackers can distribute malicious

content to all of the friends or

followers associated with an account.

Facebook, for example, recently

acknowledged [A] that a total of 8.7

percent (or 83 million) accounts on

the network are bogus.

Moreover, there are many sites that

openly promote their social media

attack services to spammers, from

selling fraudulent accounts in bulk

to delivering the software and

services to perpetrate these

attacks directly, including:

‣ TweetBuddy.com created software

to automate the creation of fake

accounts, mass distribution

of tweets, and sell Twitter

accounts to spammers,

according to court filings’ [B]

Sites like www.jetbots.com offer a variety of bots that social spam scammers can purchase in order to automatically create accounts, add friends, initiate spam chats, and much more.

‣ Automatic/manual CAPTCHA

recognition tools or use of

CAPTCHA farms, which employ

people to crack CAPTCHAs for just

pennies a piece (see section below

to learn more about the pitfalls of

CAPTCHA).

‣ Tools to automate the account

creation and verification process by

creating unlimited numbers of

Google Gmail or Microsoft Hotmail

accounts (such email accounts are

usually required in order to create

new social media accounts).

Services like CLAD Genius

automate processes such as ad

scheduling (auto-posting scam ads

within pre-defined time intervals).

Different Types and Sources of Social Spam

DEFINITION: Socialbot

A “socialbot” is a computer software

program that creates bogus accounts on a

particular social network and has the ability

to perform basic activities such as posting a

message and sending a friend request. If a

user accepts a socialbot’s friend request, the

bot gains access to the individual’s

information and contacts, which it will also

try to befriend, and so on.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 5

Not surprisingly, the rate for

purchasing a fraudulent social media

account has dropped significantly

over the last year. Sites like

BulkAccounts.com allow customers

to buy Twitter and Facebook

accounts in bulk. For example,

customers can purchase 1,000

Facebook accounts with complete

profiles and email logins (including

date of birth) for just $250.

Malware Spam: Social spam often

lurks in embedded links attached to

photos, making it less obvious for

users to spot. The problematic issue

with social spam is that the message

is personalized to appear as if it

comes from a user’s actual friend’s

account. QFacebook stated [C] that less

than 4 percent of all posts were spam

while Twitter reported that 1.5

percent of all Tweets were spam.

Comment spam: Spammers use the

sharing features on social sites to

spread their messages. Click on a

spammer’s link and it may ask you

to like or share a page or allow an

app to gain access to your profile.

Using bots, fraudsters flood social

media news sites with tens of

thousands of comments that, in

many cases, are posted by the same

spam networks that are paid to

promote online pharmacies and

knockoff designer handbags.

Like-jacking: There are two goals in

most social media scams: spread

content quickly and make money.

Like buttons help achieve prompt

and widespread propagation,

particularly as social media users get

wise to traditional scams. Like-

jacking is a common social-spam

tactic that involves duping users into

clicking on images that appear as if

those users’ friends clicked the like

buttons associated with the images

thereby recommending them.

In another ploy, users are offered an

enticing video. Hidden behind the

play button could be an invisible like

button. If clicked, the user might now

be taken to a page that requires

some level of personal information

before the video will play. Once

provided the user is redirected to

other pages to complete online

surveys or get pitched dubious

products.

A count of “Likes” is displayed on

profiles and pages, so that friends

think a video has been watched by

one of their friends and assume it is

interesting or safe for them to watch.

When they click play, the same

sequence of events happens to

them. The scammer, meanwhile, is

collecting a handsome commission

from its shady merchants for each

like referral generated.

Malware placement: Hackers

commonly sow social spam by

creating false profiles and then

friending people they don't know.

Once a hacker’s new friend clicks

on a questionable link, the spam

propagates as other friends in that

user’s network do the same. Some

social malware impersonates users

initiating chat sessions with friends.

Security experts warn that a growing

volume of sophisticated hacker

attacks take information gleaned

from social-networking profiles to

trick people with convincing targeted

messages.

Source: BulkAccounts.com (November 2012)

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 6

Third-party apps: Malware can also

be embedded in third-party apps

that when installed give hackers

control of users’ computers. There

are tens of thousands of applications

available to Facebook users and

while Facebook may make every

reasonable effort to provide

protection against malware,

some third-party applications

may not be safe.

Some have the potential to infect

computers with malicious code,

which is used to collect data from the

users’ sites. For example, there are

stalker-like offers, promising to let

users “see who viewed your profile”

or “view my top profile stalker.”

Unfortunately, sometimes installing a

bad app can also give it access to

your personal information, which

could be stored by the app creator

and possibly sold. Most of these

malware apps get shut down

eventually by Facebook, which tracks

apps that are flagged by users and

also monitors apps for patterns that

look like spam and malware.

Personal information theft: Social

media sites generate revenue with

targeted advertising based on

personal information. As such, they

encourage registered users to

provide as much information as

possible. While everyone knows

they should never share their

social security and driver’s license

numbers, many social networking

sites ask for, if not require, similar

sensitive information that if exploited

can and will be used in a variety of

malicious ways.

Due to limited government oversight

and lack of industry standards or

incentives to educate regarding

security, privacy, and identity

protection, users are left exposed to

identity theft and fraud. Additionally,

social media websites and platforms

store confidential user information,

which, if not properly secured and

encrypted, could be vulnerable to

any number of exploits.

With the increased global use of

social media, there are more

opportunities than ever before for

criminals to steal identities or

perpetrate fraud online. For example,

status updates posted on Twitter,

Facebook and many other social

media and online dating sites can be

used maliciously. If you post that

you’re out of town on vacation or

away on business, you could be

exposing yourself or your family to

burglary, assault, or robbery. When it

comes to stalking or stealing an

identity, use of photo- and video-

sharing sites like Flickr and YouTube

provide deeper insights into you,

your family and friends, your house,

favorite hobbies, and interests. Often

this information can be used to

answer common security questions

for password recovery.Source: The Wall Street Journal Online (Spam Finds New Target, January 4, 2012) [E]

Social spam can appear in many forms of user-generated content:Social spam can appear in many forms of user-generated content:

Fraudulent user signups

Blog posts

Chat messages

Reviews & listings

Discussion forum threads

Message board posts

Direct messages

Comments

URL & link submissions

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 7

Impermium estimates suggest that

spammers account for up to

40Qpercent of all social media

accounts and up to 8Qpercent of

social media messages sent;

approximately twice the volume

of six months ago. Spam affects

over 4 million users every day on

Facebook alone. [B] It’s not stopping

either; the volume of spam on

Facebook is growing faster than

their user base.

The volume of social spam and

resulting online fraud can completely

alter the perception of a brand or

individual, making a product or

person appear far more popular or

relevant than it/he/she actually is.

Fake accounts and artificial levels

of engagement are problematic

for all social networks with

consequences including:

Lost UsersLow-quality content and security

threats cause legitimate customers to

lose confidence and interest in a

social networks and related services.

It is thought that pervasive spam was

a major contributor to the mass user

exodus from MySpace.

Damaged ReputationIt is difficult to quantify the impact

that social spam exacts on social

networking sites and online

directories, but it is a definite

concern. A host site’s PageRank

and spam filtration can suffer

significantly by questionably

genuine social content.

Untrustworthy AnalyticsFraudulent activity makes it hard to

know how many users of a social site

are real. If the numbers can’t be

trusted, then the information is

worthless and social media sites

and online directories lose their

relevancy. By reducing the number of

fake accounts, a social website can

give the public both a more realistic

indication of the genuine number of

users as well as offer accurate

assessments of brand popularity for

individuals on the network.

Lost Ad RevenueEstimates suggest that customer

attrition costs social networking sites

$9.50 per lost-user in annual

advertising revenue. This has a

knock-on effect for potential

advertisers on the platform too. If a

significant number of the website’s

user base is made of fake accounts,

then the potential audience for an

advertising campaign would be far

smaller than it initially appears.

A corollary to lost advertising

revenues is loss of advertisers. In a

recent TechCrunch article[D] Limited

Run, a startup that offers a software

platform through which musicians

and labels can sell physical products

such as vinyl records, claimed that 80

percent of its Facebook ad clicks

came from bots, as opposed to real

people. Bots were loading pages and

driving up the advertising costs of

Limited Run. This type of negative

press can be disastrous for social

sites that rely on advertising revenue

streams, as it can create a butterfly

effect on other potential advertisers.

Call Center CostsAccount-users suspected of fraud

may spend an average of 15 minutes

on the phone with call center

representatives for identity

verification. The fully loaded cost of a

call center employee is estimated to

be at $30 per hour, meaning each call

would cost the social media website

$7.50. For a social network of 20

million users, the total fraud cost

related to call centers alone could go

up to $9 million a year.

Manual Review CostsSurprisingly, almost one-third of all

Facebook employees fight spam in

some fashion or another. That means

there are hard costs associated with

social spam as well. The larger social

sites are using more automated

algorithms and smaller sites are often

relying on manual processes, but

either way there’s a price tag

associated with addressing this

problem.

Polluted Search ResultsSocial spam pollutes the Internet

by adding noise. Everyone, save

the polluters, pays a price: Search

engines are less effective; users

waste time and attention on junk

sites; and honest publishers lose

income. As a result, social spam

spoils the rich spirit of sharing

that is a hallmark of social

media websites.

What’s at Stake?

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 8

Without tight, seamless controls, fake

accounts become prevalent. Social

media sites, dating sites, and online

directories need to practice and

evolve their spam-handling

approaches in order to reduce fraud,

preserve brand awareness, and keep

consumers safe. This means battling

cyber criminals and security threats

by investing in the necessary tools

that ensure that the benefits of the

time and cost commitment of their

efforts far exceed the revenues

criminals might otherwise generate.

Here are a few ways social media

sites and online directories are

combatting social spam and

preventing registration and creation

of fake accounts:

CAPTCHAMany social media sites and online

directories rely on Completely

Automated Public Turing Test To

Tell Computers and Humans Apart

(CAPTCHA) implementation for

preventing bogus accounts from

being created. CAPTCHA is a

program that can generate and grade

tests that humans can pass, but

many current computer programs

(i.e., bots) cannot.

CAPTCHAs can provide a simple

defense against most bots, but they

can still be cracked. Social spammers

can leverage OCR (optical character

recognition) technology to decipher

CAPTCHAs, even when they are

distorted. Some sites have fought

back by incorporating images into

CAPTCHAs, but this is only effective

against bot-driven CAPTCHA

crackers. While automated attackers

may be responsible for a majority of

the CAPTCHA-breaking attempts

that occur every day, they no longer

account for it in entirety.

In India and other countries across

the world, CAPTCHA-breaking

companies employ people whose

sole job is to crack CAPTCHA codes.

These CAPTCHA-crackers can earn

more per day than they can as

legitimate data-processing centers;

most earn between 1/10 and 1/8 of a

cent per CAPTCHA solved and, in

turn, charge spammers between

$1.30 and $2.00 for every 1,000

solved CAPTCHAs.

In order to stay ahead of the bots,

sites have made CAPTCHAs even

more distorted and difficult. This has

led to increased end-user frustration

as legitimate users—including but not

limited to the elderly, non-English-

speaking users, and those with visual

disabilities—often fail to decipher the

letters several times before properly

translating the CAPTCHA.

Ban the SpammersBanning members from the network

is another way to get rid of spam, but

there’s no easy answer as to

how it should be executed. Creating a

functional, fully automated algorithm

to catch and filter spammers is

difficult at best. Moreover,

experienced spammers will continue

to create new accounts using fresh IP

addresses and registration info.

Existing Approaches to Defend Against Social Spam

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 9

GhostingGhosting is something that several

social media sites do to reduce

spamming. Once a social network or

online directory decides a user is

spamming, it will allow that user to

keep up his/her spamming activities,

but will “ghost” all activities, making

them invisible to all other users on

the site.

With ghosting, a spammer may be

absolutely unaware of the fact that

he/she has been banned. He/she may

go around submitting and voting on

stuff, but what he/she doesn’t know

is that his votes and submissions are

invisible to everyone except himself/

herself. The intent of ghosting was

good: To crack down on flagrant

spammers. However, because it

employs deception, any mistakes or

bugs in the system can be extremely

difficult to diagnose and infuriating

for legitimate users.

Closed CommunityIn an effort to avoid spam some

emerging communities prefer to stick

to an application-based registration

process. It works like this: The user

submits an application to join, the

editor reviews the application and

decides whether to approve the user

or not. Manual review is surely one

way to guarantee genuine

membership. However, this inherently

anti-social approach is costly, and

may scare away many people from

even

trying to join.

Human ModerationMany companies begin with manual

processes for moderation that are

either performed by employees or by

outside firms. While people-based

approaches do have low start-up

costs and may initially present

greater flexibility for defining policies,

the slow pace, high cost, and

inconsistent quality limit the value of

such solutions.

Neighborhood Policing

Some social media sites rely on their

users to identify and report spam.

Many sites have a “report spam/

abuse” email address link. Pinterest,

for example, encourages users to

form a virtual neighborhood watch

and report spam using its "Report

Pin" button to tag spam. Spammers,

however, frequently change their

address from one disposable account

to another, rendering this tactic

impotent and ineffectual. And forcing

this burden on your most trusted

users can erode the long-term

engagement with your site.

Site Integrity SystemsDue to spammers’ negative effects

on users and brands, beyond

prosecuting them, social websites are

staffing up to address the issue.

Facebook claims it has 300

dedicated employees to oversee

security. Facebook and Twitter have

hired programmers and security

specialists to deflect the flotsam.

“Tens of millions of dollars are spent

on our site-integrity systems,

including hundreds of full-time

employees,” says Facebook

spokesman Frederic Wolens.[F]

BlacklistingFacebook has been expanding its

URL blacklist system, which uses

data from partners including Intel’s

McAfee, Google, and Websense to

detect and block known threats.

Facebook Immune System inspects

every action on the site, using the

reputation of the cookie or IP address

involved to halt any suspicious

action.

Facebook also employs a tool called

“link shim” to flag blacklisted URLs:

Every time a link on the site is

clicked, the link shim will check that

URL against its own internal list of

malicious links. If Facebook detects

that a URL is malicious, it will display

an interstitial page before the

browser actually requests the

suspicious page. Unfortunately, the

“link shim” solution and the

comprehensive blacklisting service

are proprietary to Facebook and not

available to other social media sites

and online directories. Another

weakness of the blacklist approach

is that it is reactive and only locks

known URLs. But, when spammers

regularly register hundreds of

different URLs for a single

campaign, existing blacklists

provide little defense.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 10

Automated ToolsSocial networks are also employing

automated services to crack down on

the problem. There are now tools that

search user/subscriber news feeds

for suspected social malware and

scams. When such a tool finds a

suspect post, it leaves a comment

indicating that the item is likely a

scam or malware.

Other solutions, like Impermium’s

Intelligent Content Protection (ICP),

remove offensive and unsolicited

content in real time. This allows an

organization to flag comments and

posts as soon as they are submitted

on their website. Content is analyzed

across hundreds of dimensions to

identify violence, racism, hate speech,

profanity, and other

forms of offensive content and

communication. From there, entries

can be blocked, allowed, or handled

in a custom workflow based on the

company’s site policy.

Impermium’s ICP provides protection

for many diverse types of user-

generated content, including

comments, reviews, captions, chat

messages, and message board posts.

The Impermium ICP system relies on

an artificial intelligence-based

language and content analysis

engine, its “user reputation” database

for detecting repeat offenders, and

its global threat network of more

than 300,000

web sites, portals, social networks,

and related properties around

the Internet.

Community Rating ServicesSocial media sites can also partner

with crowd-sourced rating

community websites like Web of

Trust (WOT) to help educate their

users. WOT widens the scope of Web

safety from purely technical security

to helping people find sites that they

can trust. Based on ratings from

millions of web users and trusted

technical sources, WOT calculates

the reputation for websites, using

traffic light-style icons displayed via

search results, social media

platforms, webmail, and many

popular sites. Green indicates a

trustworthy site; yellow tells users

that they should be cautious,

while red indicates a potentially

dangerous site.

Despite the rapidly growing problem

of social spam, there remain few

commercial products that provide

adequate protection. Left with few

alternatives, many sites try to

develop their own, only to find that

the cost of monitoring and clean up

quickly becomes a major expense.

Ignore this warning Return to previous page

The link you are trying to visit has been classified as potentially abusive by Facebook partners.To learn more about staying safe on the internet, visit our Facebookʼs Security Page. Please also read the Wikipedia articles on malware and phishing.

Website reported for spam, malware, phishing or other abuseThis warning is provided in collaboration with Web of Trust. Learn More

Sorry

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 11

Methodology Description Phase LIkes Dislikes

CAPTCHA A CAPTCHA is a program used to verify that a human, rather than a computer, is entering data. CAPTCHAs ask users to enter text from distorted images.

Account registration, posting comments

Provides basic layer to prevent basic bot attacks

Users’ struggle tointerpret characters

Easily cracked byCAPTCHA (human-based) farms, bots and auto-solving programs

Close the Community

The site limits users by having them complete an online application and the site approves or rejects membership based on a strict set of criteria.

Account registration

May work for small, more niche-oriented social media sites and online directories

Strict control over site membership

Requires manual review

May turn off legitimate users

High cost

Runs counter to the spirit of openness cultivated by most social media sites

Phone Verification Phone verification sends a one-time verification code to a user via an automated voice call or SMS (text) message. The user then enters this one-time verification code onto the website to verify that the number provided is valid and belongs to that user.

Risky account registrations and account changes

Leverages the phone as second factor for authentication

SMS or voice messages to verify account changes

Global coverage

No start-up costs

Ability to determine high-risk phone types (pre-disposed to fraud)

Inability to flag spam or fraudulent posts/comments

Doesn’t prevent access for real but possibly harmful users.

Ghosting If a user is identified as a spammer, sites will allow the user to keep up his/her spamming activities, but will “ghost” all of his/her activities such that they are invisible to everyone in the community except him/her.

Posting and commenting

Silent banning can make the posts of known spammers invisible

Challenge in determining what constitutes spam

Inadvertent banning of legitimate users (false positives)

Complicated business rules are difficult to troubleshoot

Human Moderation

Social sites hire moderators who manually review posts and comments. The moderation is either performed by employees or by outside firms.

Posting and commenting

Low startup costs

Flexibility in establishing policies

High number of false positives

Difficult to manage with higher volumes of traffic

Inconsistent quality across moderators and geographies

Summary of Tactics

continued on next page >>

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 12

Methodology Description Phase LIkes Dislikes

Neighborhood Policing

Sites rely on their users to identify and report spam by encouraging users to form a virtual neighborhood.

Posting and commenting

Keeps with the spirit of a social network being an online community

Ineffectual when fraudster can create new accounts with ease

Potential for false positives

Difficult to capture malware attacks (?)

Site Integrity Systems

These are homegrown systems developed by larger social media sites to identify and report spam. Facebook’s automated system, for example, removes Likes gained by malware, compromised accounts, deceived users, or purchased bulk Likes.

Posting and commenting

More comprehensive solution

Often proprietary solutions developed by the major players

Expensive

Labor-intensive

Blacklisting Blacklisting attempts to detect and block known threats using an aggregate list of known URLs involved in previous spam or malicious attack. A site inspects every action on the site, using the reputation of the cookie or IP address involved to halt any suspicious action.

Posting and commenting

Leverages multiple blacklists across industry leaders

Detects malicious links

Reputation-based approach

Proprietary black lists

High costs to create from scratch

Requires partnering with leading industry providers in order to develop a comprehensive and usable blacklist.

Reactive measure because blacklists only include existing and known URLS that are malicious (i.e. they don’t include new URLs created by fraudsters and spammers)

Automated Tools Automated tools remove offensive and unsolicited content in real-time. Content is analyzed and categorized and either blocked, allowed, or handled in a custom workflow based on the company’s custom site policy.

Posting and commenting

Higher accuracy

Comprehensive categorization algorithm

Fewer false positives

Rapid time-to-value

Non-proprietary

Minimal start-up costs

Costly to develop and maintain in-house.

Require sophisticated analysis of attacks in real-time.

May require calibration to site specifics.

Community Rating Service

Community rating services leverage crowd-sourced ratings from millions of web users and trusted technical sources, in order to calculate website reputation

Posting and commenting

Verifies reputation of embedded links in posts

Relies on worldwide community to rate websites

No ability to prevent fraudulent accounts from being created

No ability to prevent account compromise and hijacking

Inability to accurately capture and score fresh websites/URLs given the speed in which new sites are created by spammers and fraudsters

<< continued from previous page

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 13

Shut the Front & Back Doors and Clean House

Social networks, online directories, and online

dating sites need to adopt a layered approach

to spam prevention using multiple tools to ensure

that they and their legitimate users are protected.

TeleSign’s recommendation is to take a

holistic, three-prong approach:

1Shut the front doorShut the front door by phone-verifying risky new accounts.

2Clean houseClean house with automated spam cleansing.

3Close the back doorClose the back door by validating key account changes. (e.g., password resets)

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 14

A key ingredient of this plan is

validating your user base; something

TeleSign calls “shutting the front

door.” Shutting the front door

means preventing spammers and

fraudsters from getting into the

network by flagging them during

the registration process.

Social media sites often employ user-

unfriendly solutions like CAPTCHA or

rely on email verification in isolation,

which can easily be sidestepped by

bots and other technologies or

techniques that create bogus

accounts.

Instead, online sites can now take

advantage of new automated

solutions that make real-time risk

assessments about whether to

accept, flag, or reject an online

registration. Solutions like

Impermium’s Intelligent Content

Protection are particularly well suited

for account validation since they

analyze a number of data points to

determine the likeliness that a given

registration is fraudulent.

These data points can be aggregated

into a spam likeliness score that

recommends a specific action

including allowing, blocking, or

flagging an online registration. Most

registrations are allowed, but any

suspicious signups can be challenged

with phone verification. This helps

ensure that the site strikes the right

balance between security and user

experience. Many social media sites

and online directories do not want to

introduce unnecessary friction to the

signup process (i.e., add extra hurdles

that legitimate customers have to

jump through in order to complete

their online registrations).

For example, a social network or

online directory can create certain

velocity triggers on accounts

created such as:

‣ Number of accounts created by the

same IP address during a certain

period of time.

‣ Low-volume passwords that have

been used five+ times over the past

48 hours for account registration.

‣ Location of IP address on any login

(especially first three logins) is

more than 150 miles away from the

location of the IP address used to

create the account.

‣ Irregular activity such as a flurry of

friend requests/comments shortly

after account creation (i.e., track

the deviation of the network’s

average behavior versus outlier

behavior that is out of the norm).

Phone VerificationIf a specific registration is deemed to

be risky, social media sites and online

directories can utilize phone-based

verification to authenticate legitimate

users and repel fraudulent ones.

Here’s how it works:

1. User is prompted to provide

a phone number at account

registration

2. Site sends a one-time verification

code to that phone

3. User enters that verification

code onto the website to

activate the account

So what does phone

verification accomplish? Phone verification accomplishes two

things: 1) it verifies that the phone

number provided is valid, and 2) it

verifies that the user is in possession

of that phone. This adds friction to

the registration process, but given

the ubiquity of phones they’ve

become an extension of our own

identities. Phone verification is a

practical and simple way to verify

your user’s online identity.

1Shut the front doorShut the front door by phone-verifying risky new accounts.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 15

Phone verification can also be used in

the future when a user logs in from a

different IP address or a different

device. This can trigger an

authentication event to the verified

phone number on record and

prevents fraudsters that successfully

have phished credentials from taking

over a user’s account.

Companies like Google have

employed phone-based verification

to add an extra layer of security. In

addition to username and password,

users with two-step verification get

prompted to enter a code that

Google sends via text or voice

message when they attempt to

negotiate a login from a different IP

address from that on record.

This two-step verification drastically

reduces the chances of having the

personal information in a user’s

online account stolen by someone

else. Why? Because hackers would

have to execute on two fronts: 1) they

would have to steal a user’s

username/password and 2) they

would have to steal the user’s phone.

Importance of Phone TypeAdding phone verification to the

process is a crucial first step, but

some sites are going further still.

An increasing number of social media

sites and directories now require new

registrants to use low-risk phone

types such as mobile or landlines for

phone verification. Many social sites

also block higher-risk phone types

such as prepaid mobile phones and

VoIP phones which are correlated to

higher levels of fraud and spam.

Companies like TeleSign can

determine the phone type and

other important phone

characteristics such as whether

the phone is active, roaming status,

and the name registered to the

phone. These details provide

additional business intelligence

and powerful fraud signals.

Phones that can be purchased

anonymously or that do not require

the end user to be contracted with a

mobile phone company are often a

higher risk for fraud and spam. VoIP

phone numbers are Internet-based

telephone numbers that can

easily be obtained by users in other

countries. They are untraceable

and disposable; some can even

be obtained for free. This means

that a fraudster in a foreign country

could easily obtain a U.S.-based

telephone number (using a

non-fixed VoIP service) to receive the

verification call.

TeleSign’s PhoneID solutions provide

merchants access to real-time

business intelligence to predict and

prevent online fraud. PhoneID

identifies user phone type, provides

merchants with accurate data to

assess high-risk transactions, and can

simply determine if a phone can

receive an SMS. PhoneID enables

social media sites and online

directories to quickly identify high-

risk registrations and at the same

time, reduces undeliverable messages

through identification of

SMS-enabled devices before

sending verification SMS messages.

Phone Type Risk LevelRisk Level Rationale

Fixed Line (landline)

Low Risk Traced back to specific address.

Cannot be obtained by a user in another country.

Mobile Low Risk Users must sign contracts with carriers.

Numbers are traceable.

Prepaid Mobile

Medium Risk

Users are not contracted.

Low cost phones.

Non-Fixed VoIP

High Risk Easily obtained in other countries.

Untraceable.

Disposable.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 16

While many believe human

moderation to be the gold standard

of social spam defense, the combined

pressures of speed, monotony, and

cost controls often lead to significant

drops in performance.

New online cleansing tools actively

monitor all user-generated content

from blog posts, comments, message

board posts, chat messages, reviews

and listings. Unlike human

moderation teams, automated tools

work proactively and in real time,

removing offensive content before

users even see it.

A recent performance test compared

Impermium’s automated solution

against a top human moderation

service firm that specializes in

removing bad social content for

websites of major consumer brands.

Both services were given 10,000

social comments and tasked with

identifying social spam. Here are

the results:

Impermium can also flag potential

spammers and work with two-factor

authentication providers, like

TeleSign, to enforce phone-based

verification before posts are

validated. Another benefit of using a

leading automated spam cleansing

solution is that these vendors can

spot spam trends across different

social networks and incorporate that

intelligence into their scoring

algorithms. Collectively, these

tools and intelligent scoring can

dramatically reduce the amount

of social spam and improve the

user experience.

2Clean houseClean house with automated spam cleansing.

Metric Imperium Human Moderation

Time to Process 19 seconds 2-3 days

Accuracy 99.5% 95%

False Positives 4 79

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 17

Once a user’s phone number is on

record, a social media site or online

directory can use that same number

to verify any key account changes or

reset the user’s password. These are

often backdoors that fraudsters can

crack open to hijack an account.

Verifying users for these high-risk

changes makes it much more difficult

for a hacker to break into someone’s

account. In fact, some websites

regularly verify their end users (e.g.

after every 30 days).

With valid user phone numbers on

record, social media sites and online

directories can take a more

frictionless approach to verifying

users by conducting a series of

analytics in the background based on

their online activities. A user’s phone

number and the activities associated

with that phone number provide

important insights. Phone numbers

tied to fraudulent activity can be

blocked early on instead of letting

the fraudster stay on the website. By

analyzing user data more closely,

online properties have the

opportunity to stop and block fraud

faster and more efficiently.

Social media sites and online

directories no longer have to

maintain their own dedicated

engineering teams to keep their sites

safe from spam and abuse.

Combining phone-based verification

with automated spam cleansing frees

webmasters to focus on the things

that matter most to their users and

customers.

3Close the back door.Close the back door by validating key account changes. (e.g., password resets)

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 18

It’s clear that yesterday’s email

spammers are today’s social

spammers. Social media exploitation

techniques are evolving fast.

Spammers on the social web exploit

nearly every large consumer brand or

significant news event. This should

come as no surprise. The payoffs are

better, detection is more difficult, and

the social networks are only just

starting to develop strategies to

tackle the issue.

Social networks, online directories,

and online dating sites have

struggled to keep up with spammers

who have adapted defensive

techniques to avoid detection and at

the same time have created new

vectors to exploit. Bulk accounts for

popular social networks can now be

purchased on the black market for

pennies. Automated tools are freely

available to create posts, add bogus

comments, inject malware within

links, and generate friend requests.

Social spam is starting to take a

significant toll. Sites that fail to

address social spam face business

risks that include lost customers,

reduced advertising revenues,

increased customer support costs,

distorted analytics, and the inability

to accurately evaluate their user

bases and determine the real costs of

new customer acquisition. However,

most importantly, social spam can

eviscerate the brand

and reputation of the site for

which the host site is trying to

build an audience.

In response, these sites have resorted

to a variety of measures including

human moderation, ghosting,

neighborhood policing, and

blacklisting to thwart fraud. But these

methods have inherent shortcomings

that neither adequately prevent

bogus account creation nor

accurately flag potential fraudulent

posts and comments.

It’s time to take a more holistic

approach with new tools that are

now available to give these social

networks and online directories an

upper hand in combatting fraud. It

starts with shutting the front door

and preventing bogus accounts from

being created. This means adding

some friction to the registration

process by asking the right

questions, leveraging data, and

phone-verifying high-risk registrants.

This is a delicate balance between

maintaining privacy without exposing

these sites to the rampant

proliferation of fake, bulk accounts.

It also means going beyond human

moderation to a more automated

approach that scans all posts and

comments in real time minimizing

the number of false positives while

preserving a sense of openness

within the community and ease of

use.

It’s inevitable that spammers will

continue to evolve their tactics to

circumvent new approaches and

technologies, so too must the social

networks. Remember, it was only

after the advent of antivirus and anti-

spam software, in conjunction with

widespread user education, that

email spam started its decline.

To reverse the trend of social spam,

social networks, online directories,

and online dating sites (and their

users) need to raise their collective

games by adopting the right

technologies, injecting the right

processes, and raising the awareness

levels of consumers to a healthy dose

of skepticism before they

click on any links – even those that

appear to come from your user’s best

friends.

Conclusion

It’s time to take a more holistic approach with new tools.

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 19

Every second of every day, TeleSign protects

the world's largest Internet and cloud properties

against fraud.

TeleSign Intelligent Authentication provides an

easy-to-implement and powerful method for

identifying and substantially reducing online

fraud and spam using the most widely deployed

technology — a user's phone.

The company protects 2.5 billion downstream

accounts in more than 200 countries and

territories, offering localization services in

87 languages.

In 2012, TeleSign ranked #23 on the Deloitte

Technology Fast 500™ and was named Visionary

in Gartner’s User Authentication Magic Quadrant.

TeleSign Corporation4136 Del Rey AveMarina del Rey, CA 90292US +1 310 740 9700UK +44 (0) 330 808 0081

telesign.com@telesign

GetStarted@TeleSign.com

Impermium provides user-generated content

management for websites and social networks,

defending them against social spam, fake

registrations, racist and inappropriate language,

and other forms of abuse.

Our system combines advanced technology

and broad, Internet-scale threat information

to provide cost-effective, real-time protection

for more than 300,000 sites across the globe.

Founded in 2010, Impermium is backed by

Accel Partners, Charles River Ventures, Greylock

Partners, Highland Capital Partners, and the

Social+Capital Partnership.

Impermium Corporation900 Veterans BoulevardRedwood City, CA 94063888-496-8008

impermium.com@impermium

info@impermium.com

SPECIAL REPORT: PREVENT SOCIAL SPAM AND FRAUD FROM SABOTAGING YOUR BRAND IMPERMIUM.COM TELESIGN.COM 20

A. Protalinski , E. CNET. Facebook: 8.7 percent are fake users. Retrieved August 1, 2012, from

http://news.cnet.com/8301-1023_3-57484991-93/facebook-8.7-percent-are-fake-users/.

B. Tarantola, A. GizModo. Twitter Declares War on Spambots, Takes Tool Developers to Court. Retrieved April 6, 2012, from http://gizmodo.com/tweetbuddy/.

C. Finn, G. MarketingLand. The Rise Of Social Spam: 1.5% Of Tweets & < 4% Of Facebook Posts Are Spam.

Retrieved January 4, 2012, from http://marketingland.com/the-rise-of-social-spam-1-5-of-tweets-4-of-

facebook-posts-are-spam-2571.

D. Taylor, C. TechCrunch. Startup Claims 80% Of Its Facebook Ad Clicks Are Coming From5Bots. Retrieved July 30, 2012, from http://techcrunch.com/2012/07/30/startup-claims-80-of-its-facebook-ad-

clicks-are-coming-from-bots/.

E. Fowler, G., Raice, S., and Efrati, A. Wall Street Journal Online. Spam Finds New Target. Retrieved January 4, 2012, from http://online.wsj.com/article/

SB10001424052970203686204577112942734977800.html.

F. Kharif, O. Bloomberg BusinessWeek. ‘Likejacking': Spammers Hit Social Media. Retrieved May 24, 2012

from http://www.businessweek.com/articles/2012-05-24/likejacking-spammers-hit-social-media.

References