Spam can be defined as irrelevant or unsolicited messages sent over the Internet. These are usually sent to a large number of users for a variety of use cases such as advertising, phishing, spreading malware, etc.
In the past, spam used to favor email as it was the primary communication tool. Email addresses were relatively easy to harvest via chat rooms, websites, customer lists and that impact a user’s address book. Eventually, email filters became more sophisticated, and more effectively decreased spam from clogging the inbox.
Since then, spammers have moved onto a new target: social applications.
Fake accounts are key to social spamming: To gain credibility, these fake accounts will try to become ‘friends’ or follow verified accounts, e.g., celebrities and public figures with the hope that these accounts befriend or follow them back. When genuine accounts befriend or follow back fake accounts, it legitimizes the account and enables it to carry out spam activities.
Another way for spammers to attack is to hack into and take over a user’s account, spreading fake messages to the user’s authentic followers.
Armed with fake accounts on social networks or applications, spammers can then carry out the following activities:
Messages with the same or similar text can be sent out to a group of people in a short period of time. Several spam accounts can also simultaneously post duplicate messages.
Use of bulk messaging can artificially cause a certain topic to trend if enough people visit them. In 2009, a spam website offering a job with Google tricked users to believe the site was genuine.
Similarly, bulk messaging can be used for spreading malware or advertising to direct users to a site.
Spreading malicious links
Malicious links are links created with the intent to harm, mislead or damage a user or their device. When the link is clicked, activities triggered can range from downloading malware to stealing personal information.
These links can easily be spread through user-submitted comments and posts, e.g., YouTube videos. With a fake account on social media, links can also be spread via posts or messages from the account.
Fake reviews are reviews from users that never actually used the product. Various products or services usually pay several users for positive reviews to boost their product or service offering.
With fake accounts, reviews can easily be posted from a fake persona, and these can be done in bulk.
Sharing undesired or excessive content
Fake accounts can also contact and share unwarranted content such as insults, threats and unwanted advertising to genuine users. Bots can be set up to automatically follow new users or automatically message users who post content.
Clickbaiting and likejacking
Clickbaiting is the act of posting sensationalist headlines to encourage the user to click through to the content with the aim of generating online advertising revenue. When the user clicks through to the page, the content usually doesn’t exist or is radically different from what the headline made it out to be.
Likejacking is the act of tricking users to post a Facebook status update for a certain site without the user’s prior knowledge or intent. The user may be thinking that they are just visiting a page but the click can trigger a script in the background to share the link on Facebook.
This will then create a vicious cycle as other friends of the genuine user will click on the link and share it to more people on their network.
These activities negatively impact the user experience as they can either waste the user’s time and attention as well as potentially compromise the user’s security or steal their data. The presence of fake accounts and spam are therefore a problem for social networks, over-the-top (OTT) messaging and other mobile or gaming applications because a negative user experience can lead to user attrition, impact monetization potential and valuation of the service.
Although social networks are starting to clamp down on fake accounts and spam, spammers can easily create new fake accounts to continue their activities.
Fixing social media’s spam problems
The root of the problem is that creating a fake account in the social application is incredibly easy as the identity verification process is easy to bypass. Common methods of identity verification include using email verification-only, and using password-only.
Email verification-only is problematic because a single user can create many email accounts in a short time, which can then be used to create fake accounts in the social application.
Password-only is also problematic because spammers may use an automated tool called “account checker” to test different username and password combinations on the social application in the hope that a few may work to gain them access to these accounts. Captchas are supposed to deter the automated creation of accounts, but they can be quickly outsourced for people to solve inexpensively.
The use of phone verification upon creation of accounts can prevent spammers from creating fake accounts. This involves sending a one-time password (OTP) to a user over a separate communication channel (SMS or voice) than the IP channel (internet) used by the social application.
If an account can only be created after the user has correctly entered the OTP in the social application, this will make creation of fake accounts a more tedious process.
Furthermore, virtual and ported numbers can be sniffed out using certain APIs like Nexmo’s Number Insight. As a result, this makes it prohibitively expensive for the spammer to create fake accounts to use for spamming purposes as they either have to invest in a highly sophistical solution, or undergo the manual process of obtaining a phone number to bypass phone verification.
Phone verification is ideal to implement because phone numbers are globally available, and the process is inexpensive to implement. There is no additional hardware required since most people have a basic phone and SIM card, and the cost of sending/receiving messages are low.
New users can even be onboarded seamlessly, without the need to enter a code, by checking their phone number type using a service like Nexmo’s Number Insight. This can also enable the discovery of accounts attempting to input virtual numbers, which the social application can opt to block.
Once the user performs an action within the social application, e.g., upgrade service, make first post, etc., the OTP password can then be sent to their mobile, performing a hard verify.
To prevent account takeovers, phone verification can also implemented to authenticate login from a new device, location or IP address.
Spam on social applications can be truly disruptive to the user experience, so implementing phone verification can be an effective way of blocking it.