Tumblr is becoming Spamblr.
Spammers are using the "Ask me anything" messaging feature on the popular social-blogging site to promote their bogus products, similar to the way in which spammers and hackers leverage messaging features on other social-media services.
“WOW, I just lost a bunch of weight using the OFFICIAL TUMBLR DIET!! Are u using it as well? Check it out at [obscured shortlink]," one spam message reads.
The shortened link takes victims to a malicious page, dummied up to look like a leading health publication, chock-full of information and endorsements for the "miracle pill" Garcinia Cambogia Extract.
Once on the page, users are asked to provide their names, telephone numbers and email addresses to lock in their orders before supplies run out. Users are then taken to another page where they enter their financial details.
Unlike a traditional social-networking message, Tumblr's Ask feature gives the recipient the option of responding to the question, then posting the interaction to his or her blog. That's probably the best-case scenario for the spammers, because it turns a single message into a blog posting that can be viewed by all of that blog's followers.
(The Ask feature is turned off by default in Tumblr, but can easily be switched on via the Settings menu.)
The image-based Tumblr network, popular among the Internet's high-school and college population and home to more than 50 million blogs, has spent most of its six-year existence free of the scammers who plague platforms like Facebook and Twitter — but that appears to be changing.
In fact, another scam, this one of the get-rich-quick variety, has also been popping up in Tumblr users' Ask boxes.
"I made $300 yesterday by Internet marketing and I'm looking at at least $450 today," goes the text of one message. "So yeah. You need to do this. I found out about it from this news article on CBS. I'm just excited to share this with you because it actually freakin works! Tumblr won't let me post a link but if you want to read up and start making some money then head over to [obscured link] — Spread this to fellow tumblree's and tumblrette's and lets get out of this recession together!"
This link takes victims to a page meant to look like a news site, featuring a story about how to make lots of cash working from home. Like the "miracle pill" campaign, it also asks for users' personal information.
To curb spam, Tumblr has created an Ignore feature that allows users to block the account, IP address and computer of the person sending unwanted messages.
It's important to point out that if a Tumblr user does publish the spam to his blog, it puts anyone who reads that blog at risk — whether or not the reader is a member of Tumblr.
Symantec said it's seen some users replying and posting the spam "sarcastically," but TechNewsDaily advises all Tumblr bloggers not to do so, as that only propagates the scam.