Facebook shut down as many as 30,000 fake accounts in the past week — but that's unlikely to hurt the multi-million-dollar spam industry.
In fact, since Facebook's post-election housecleaning, it's become even more lucrative for spammers to pump out "inauthentic accounts." The asking price on the black market for 1,000 fake accounts used to be $20, but security changes by the social network giant only succeeded in driving up prices.
“If you go to the underground markets where they sell fake Facebook accounts, you can buy 1,000 of these for $300 to $400,” Damon McCoy, a New York University computer science professor specializing in cybercrime, told NBC News. “In terms of economics of replacing these 30,000 accounts, they took down something, but perhaps not as much as you might think.”
The flurry of account closing — all "users" were based in France — was an attempt by Facebook to head off interference in the French presidential election, following fierce criticism for the network's role in the proliferation of "fake news" during the 2016 U.S. presidential election.
"We’ve made improvements to recognize these inauthentic accounts more easily, by identifying patterns of activity — without assessing the content itself," said Facebook in a statement. "For example, our systems may detect repeated posting of the same content, or an increase in messages sent."
"Going forward, the advances we have made to our detection systems will help us ... keep our platform safe," the statement continued.
Prices for other fake social media accounts — which, like fake Facebook accounts, are created either automatically by programmers in places like Russia, or are registered manually by humans in “farms” in countries like India, where labor is cheap — remain low. At time of writing, one Russian account-selling site asked only $900 for 20,000 Twitter accounts with confirmed email addresses.
Spammers are getting smarter as well, squeezing more money out of each individual account by moving to harder-to-detect money-making methods, like advertising revenue from the spread of false news stories.
But perhaps of greater concern are the geopolitical effects spam can now cause, said Marcus Rogers, director of Purdue University’s Cyber Forensics Lab.
“For pretty much any election right now, there's this big concern there's going to be manipulation by what we would consider to be spammers and the fake news folks,” Rogers said, citing allegations of cyber interference in the 2016 election and concerns over similar interference in the upcoming French presidential elections.
Traditional email spamming, which focused on selling counterfeit pharmaceuticals and scams targeted at individuals, never had that sort of impact, Rogers noted.
The Return of Email Spam
New avenues like social media had, for years, reduced the amount of spam over classic “attack vectors” like email, Rogers said. But research shows email spam is reemerging and refocusing.
In technology conglomerate Cisco’s 2017 Cybersecurity Report, researchers found a resurgence of email spam, which had risen to levels not seen since 2010. The spam — much of it pushed by botnets, networks of computers controlled by malicious software, usually without the owners’ knowledge — accounted for 65 percent of email.
Still, global email spam volume falls short of its 2010 highs, said Jaeson Schultz, a threat researcher with Talos, Cisco’s security research arm. But even at the lower volume, Talos blocks roughly 500 billion email threats each day, in addition to 20 billion threats on other platforms.
“Spam, I think, is going to exist in all of these platforms,” Schultz said.
But email spam has reemerged with a new focus. Now, spammers are frequently targeting businesses instead of individuals, according to the Cisco report.
These attacks often mirror classic phishing scams, where a spammer will send an email, posing as someone else, and ask a corporate executive to initiate a wire transfer, often to an international bank from which the funds are unrecoverable, McCoy said.
Other spammers are moving away from illegal activity, into gray markets, McCoy said. Instead of attempting to sell counterfeit drugs, spammers will push unproven herbal remedies, which are most often legal, or at least unregulated. They’ve also taken to hiring attorneys to draw up user agreements for their would-be victims.
It’s not likely spam will go away anytime soon, Rogers said. Like with viruses, which have afflicted consumers and the tech industry for the last 30 years, there may not be a permanent solution to spam, and the industry might have some catching up to do.
“I would say we're about a year, year and a half behind,” Rogers said. “And that's being optimistic.”
While Rogers, McCoy, and Schultz all agreed that some advances against spam had been made, cooperation within the tech industry is still the key to long-term success.
“We all need to get together to be able to share information and try to combat these attacks with the idea that these folks that are trying to come in one door might try another door,” Schultz said. “When you combine your resources, you really can make a difference in the security of the internet for everyone.”