Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Welcome to our world, Adobe

Welcome to our world, Adobe

  • Comments 2

One of the problem that plagues free sites that permit user content uploading – Windows Live Spaces, Google Blogspot, Yahoo Groups, Geocities (back in the day), etc – is that they are prone to being abused by spammers.  The idea behind these services is to give users a way to share their creativity and ideas with the world, or get their businesses up and running, at a very low cost to the end user (which is free).  Since consumers gravitate towards the lowest price point, these services compete with each other to give their targeted user base a rich experience while making management of the site as simple as possible.  The goal behind these is to either sell advertising to generate revenue, or build a large enough user base such that enough users will want to use products where you do have to pay for them but they integrate well with the free services.

Adobe has free software – Acrobat Reader – but you have to pay for Adobe Acrobat.  Similarly, Photoshop is a powerful software editing tool that you have to pay for.  Adobe now permits users to create and share their own photo albums, similar to Flickr, Picasa, Skydrive, and so forth.  But with free storage space comes the invitation to abuse.

It is not only the legitimate end user that takes advantage of these sites.  Spammers are always looking for ways to lower their costs, and these free services give them a couple of benefits:

  1. It lowers their cost of ownership.  These free services foot the bill for hosting and management, thus offloading some of the users’ spamming costs.

  2. It avoids reputation filtering.  Many spam filters today will filter on URLs, and simply filtering photoshop.com or flickr.com will invariably result in an unacceptably high level of false positives.  Using a free service with a good reputation (known as brandjacking or reputation hijacking) allows spammers to hide within the reputation of others.

Spammers will upload payload, either an image containing products or text, and send out spam directing them to the spammy page hosted by the free service.  It turns out that photoshop.com is now a target for spam operations.  Observe below:

image

There are a couple of free services being abused here in addition to photoshop.com, we also see MSN being abused as well as Gmail.  My guess is that services like Adobe, that don’t have a lot of experience in anti-abuse, are going to have a hard time dealing with this problem.  When most companies go into this free-content creation business, the first thought is how to drive traffic to the site and get uptake from the general population.  They don’t really think about how to prevent people from signing up for it maliciously.  That’s why I think Amazon has such a difficult time with maintaining the reputation of their IP space in their cloud services.  They are used to combating fraudulent transactions but have less experience dealing with fraudulent users of their services.  We’ll see how Adobe deals with this problem; it’s not a simple one to solve for anyone, let alone those in the software business (where software = software products, not software services).

Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post
  • Interessting! There is a big hole at captcha walls!

    palmamail01+msdn@gmail.com

  • captcha? That is trivial to break. Simply hire a room full of low=paid workers in the third world to break a few hundred thousand of them.

Page 1 of 1 (2 items)