Compsec maven Brian Krebs rakes over the findings of University of California, San Diego research report into the online market for what I like to call meatpuppets: cheap human labour-on-the-web that gets leveraged for bypassing the security systems that are supposed to stop automated spammers.
“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.
The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.
“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”
The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.
It’s interesting to see massive crowds of human labour getting rolled quite effectively into these vast and largely automated systems: the darkside equivalent of Amazon’s Mechanical Turk, with a smattering of Matrix metaphors on the side. But those digital peons are just trying to make a living, and when you look at the prices being charged for Twitter followers by the thousand and factor in the significant cut being taken by the service aggregators, you realise that they’re probably not making much more than sweatshop wages. Which means that until the massive differential in income between developed and developing nations gets narrower, web security procedures will always be subject to this sort of outsourced brute-forcing. Shorter version: spam ain’t going anywhere anytime soon.
The irony of having blocked five fake Twitter accounts in the time it took me to write this post is palpable. Death, taxes, noise*, spam.
[ * Anyone who’s worked in the recording or music industries will tell you that noise is the third certainty of life. As, I suspect, will anyone who has lived in a block of flats. ]