Geo Spam Heads Into Location-Based Territory

Well, it was bound to happen. As popular as location-based services are becoming, it didn't take long for the Spamalot Brigade to step in for a little menace and mayhem. As if privacy wasn't a big enough issue with LBSs, now we have to worry about hackers and other insidious tactics to infiltrate geo-tagged apps, ads and profiles on our mobile devices.

Similar to attacks on other platforms such as email and IM, the first phase of attacks on social networking sites used a shotgun approach that hit a huge number of users in hopes that a small percentage of them would fall for the attack. The Koobface worm was one such device. Twitter spam and porn bots all relied on this tactic, and with pretty good results. Koobface's various iterations have infected millions of Facebook users, and there have been a couple of fairly effective phishing campaigns on Twitter.

DDoS AttacksDDoS AttacksWhile Twitter and Facebook have had their share of DDoS (Distributed Denial of Service) attacks, hackers according to a recent Kasperksy Lab Security report have been shifting their targets to geolocation software and apps. Attackers can sift through users' profiles, looking for specific interests, information on where they live and what they do in their spare time. They can then use that data to target tailored phishing and drive-by attacks to a small group of users in a specific city.

ChannelNews reported that iPhone attacks will increase with a proportionate escalation in "snowshoe spamming," a technique used by spammers to spread spam output across many geolocation IPs and domains just as a snowshoe spreads the load of a traveler across a wide area of snow. The report also predicted that South Africa's mobile phone networks will be a hotbed of activity during the 2010 FIFA World Cup games where a good number of related trojans, fake tickets shows and DDoS attacks will surge.

Apple has put iPhone developers on notice that location-aware ads will no longer be tolerated in apps that are not location-based apps. The notice on Apple's iPhone Development Center read as follows:
  • "If you build your application with features based on a user's location, make sure these features provide beneficial information. If your app uses location-based information primarily to enable mobile advertisers to deliver targeted ads based on a user's location, your app will be returned to you by the App Store Review Team for modification before it can be posted to the App Store."
In other words, if an app does not have a geo-component as one of its core features, it can't include irrelevant geo-targeted ads as one of it features. This appears to be Apple's means to prevent spam from appearing on geo-targeted ads popping up on LBS sites like Foursquare.

According to a TechCrunch report, "Geo-based ads are very promising, and could open up local advertising to the Web in an entirely new way. But Apple needs to set the rules of the road early to make sure that consumers are not inundated with ads that are nothing more than spam and out of context to what they are doing."

There will be other tactics used to 'game' the location-based systems online that will mimic what has already been done on Twitter and Facebook, such as imposters (one such case already fingered a Mayor Mike Bloomberg impostor), fake check-ins to build points, malware and porn apps to name a few.

As the field of location-based social networks widens, you can bet that the Spamalot Brigade will continue to work overtime to make their presence known whether it be for a profit or just to cause mayhem. The trick is to keep your guard up and know that when you start treading geo-tagged waters that you make sure you are in control of your ship and it is not being steered by outside forces.

Randy Glasbergen CartoonRandy Glasbergen Cartoon