Your Gullible Friend Has Sent You a Photo!

The dangers of social spam.

Until last weekend, I had never heard of WeGame.com, the go-to source for videos of video games. Then, on Sunday, I got an e-mail from a casual acquaintance with the subject line “[casual acquaintance] has sent you a photo!” Naturally, I clicked the link, which took me to WeGame. The site invited me to see this photo—just as soon as I entered my e-mail password, which it promised not to remember.

The site’s tactic is dirty and obvious: When you give it your login info, it mines all the contacts from your account and fires off an identical e-mail to all of them with your name in the subject line. I got several more WeGame messages on both my Gmail and work accounts from infrequent contacts, like the friend of an ex-girlfriend’s current boyfriend. There’s nothing truly evil going on here—it appears to just be an overzealous publicity campaign on WeGame’s part. This episode of “social spamming,” however, does reveal a ripe opportunity for more pernicious spammers to get access to your accounts and cause all sorts of trouble.

There are times when it’s useful to allow a Web site to peek at your contacts list. Both Facebook and Twitter offer to search your e-mail to find friends’ profiles or user names. WeGame, which is a serious project that raised $3 million when it launched, has as much right as anyone to market itself to users’ friends via e-mail. The difference is that WeGame encourages you actually to send mail to all your contacts, firing out misleading messages if you click “yes” too many times without reading carefully. Every time I logged in, the photo my friend allegedly wanted to share was the same: a picture of two people dressed as the Mario Bros.

I signed up on WeGame with a dummy account on Monday morning to see exactly how easy it is to spam all your friends accidentally. Once I went through the sign-up process, I got to a pop-up that asked me to “confirm [my] e-mail invites.” All of the contacts in my dummy account’s address book were selected. In order to avoid spamming everyone, I had to hit cancel and start unchecking names. This actually represents progress for the site. Armin Rosen, a Columbia University senior who fell for the WeGame scheme, tells me that he “didn’t even see the list of e-mails” he was about to send when he signed up. (In response to my questions about his site’s publicity strategies, WeGame founder Jared Kim pleaded ignorance, telling me only that his “team makes pretty rapid changes” to WeGame’s functionality.)

I can’t remember the last time I saw any piece of old-school spam that looked believable. The spelling and grammar are often hopelessly mangled, and we’ve all learned not to open weird attachments or send strangers our bank account information. But notes like the one from WeGame are a new breed. Because we are so accustomed to interacting with friends over social networking sites, getting an e-mail about a photo link doesn’t seem strange. Sites that pose as social networks are the new spammers, and they’re a lot harder to sniff out than the traditional penis enlargement and fake Rolex watch crowd.

Consider the case of ViddyHo.com. The site, which launched in February, promised you a video if you logged in through MSN Messenger, AIM, or Gmail, among other sites. This isn’t such a strange request. Facebook Connect allows other Web purveyors to use Facebook profiles as a form of identification, and your Gmail password is your ticket to all of Google’s tools and gadgets. ViddyHo wasn’t on the level, though, and people who fell for the trick paid the price. If you handed over your Gmail username and password, the site proceeded to GChat all of your friends to spread the good news about ViddyHo. Not only were victims hacked; all of their friends knew they were gullible.

The damage caused by ViddyHo, as with WeGame, appears limited to embarrassment. Hoan Ton-That, the site’s San Francisco-based creator, told me in April that he didn’t mean to auto-invite people’s entire address books, though the fact that he has a new site with similar ambitions is not heartening. But there’s nothing preventing the next ViddyHo from doing more damage, logging passwords and contacts for more sinister purposes.

Like any good scam, social spam exploits our trust—the belief that our friends wouldn’t invite us to join a site with bad intentions. Versions of this trick have been around since the height of AOL Instant Messenger’s dominance, when I would occasionally get IMs from friends with purported links to articles about Osama Bin Laden’s capture. (I clicked on that one.) But the rise of social networking has made these scams even more convincing. I have a feeling most of the victims of the WeGame e-mails were more absent-minded than gullible. We decide we’re going to register for some new site and then go into autopilot, typing in whatever we’re asked for in the fields. After all, we’ve done it a thousand times before without incident. (One victim at Wesleyan claims to have been on the phone while absently clicking through the motions and ended up infecting her best friend’s mother.)

It’s easy to imagine how social spam could wreak real havoc. Imagine a site—vouched for in a friend’s e-mail message, naturally—that asks users to provide their e-mail address as a login, then prompts them to set up a password. It would then be elementary for the wicked Web site to check whether this e-mail/password combo opens the user’s Webmail account. Considering how often people use the same password for all of their Web transactions, I bet that simple scheme would work a lot of the time. Once the Webmail has been cracked, the wicked Web site could send invitations to everyone in the contact list—and plunder the inbox for valuable goodies like bank account information or Social Security numbers.

If WeGame and its ilk continue to proliferate, it may fall to the Webmail clients to place extra protections on how outside sites can mine contacts. “We don’t approve of third-party sites handling their users’ information in this way,” a Google spokesperson told me, adding that “in some cases we may take more proactive measures to identify and block the spam.”

WeGame doesn’t actually send mail from users’ Gmail accounts—it just sends all your contacts e-mail with your name in the subject line. On account of that, the best Google could have done immediately would have been to block e-mail that came from WeGame. In the meantime, a quick, finger-wagging PSA: The rise of social spam is yet another reason to practice safe surfing. Think twice whenever a site asks for your Webmail password. And for the millionth time, don’t use the same password for everything.