Communications of the ACM
All your contacts are belong to us: automated identity theft attacks on social networks
Proceedings of the 18th international conference on World wide web
| Hi-index | 0.00 |
Buzz, the new online social networking (OSN) service from Google has been introduced a few weeks ago. Even though it raised big concerns (and even complaints) about several privacy issues, Buzz has been already launched inside millions of Gmail accounts. In this paper, we show that one of the major concerns Buzz might have to deal with is that it is integrated into the Google email service. In fact, to use Buzz one has to sign up for a Google profile that will primarily be seen by other Google users. However this profile, as shown in this paper reveals for the vast majority of Buzz users their Gmail usernames, and so their Google email addresses. We exploit the notion of Followers/Follwing in Buzz to crawl Google for Gmail accounts, demonstrating how it is easy and practical to collect millions of valid Gmail accounts from a single machine, in a very short period of time and without being noticed. The collected email addresses have many desirable properties from a spammer's perspective. They are valid email addresses, that refer to active and individual Buzz users that participate in online social activities, increasing then the efficiency of spam campaigns targeting these users. We then show how spammers can even use the Google infrastructure to categorize the email accounts they collected based on specific area of interest of users. As a conclusion, this paper demonstrate that integrating Buzz to email accounts, and hence to Google profiles offers spammers with a valuable, yet not risky, way to build a giant Google emails-made spammers database.