Not us. (Photo: Naked Security)

Welcome to the big leagues, Snapchat! This week the photo-sharing app experienced a startup Bar Mitzvah, of sorts, when it was inundated with its first major spam attack.

Unsuspecting users received an explicit snap from someone calling herself named “Honey.Crush9,” inviting them to a sexy Skype conversation. Anyone foolish enough to take the bait ended up with—surprise, surprise!—malware. 

Naked Security reports that the spammers exploited a little-known loophole on Snapchat’s app that allows anyone to send you pictures—even if you haven’t added them to your authorized friends list. Here's how you fix it:

According to Snapchat's FAQ, you can change this setting. It tells users to tap the camera icon as if you are going to take a picture, then, tap the square button on the bottom right corner of the screen. Select "Settings", go to "Who can send me snaps...", and select "My Friends" instead of "Everyone."

Snapchat CEO Evan Spiegel, fresh off bragging about the app’s explosive growth, apologized for the debacle on the company's blog. Acknowledging that spammers "totally suck," Mr. Spiegel wrote that the engineering team quickly halted the problem from spreading further by stopping new accounts from being created.

Poor Mr. Spiegel—guess a few nudes sneak onto his app, after all.

(Photo: Metanoodle)

Notice that your Internet's been a little slow lately? A cyber fight between an anti-spam group and a Dutch Internet company has spiraled so far out of control that it's threatening the infrastructure of the Internet and clogging connectivity for everyday web users, including those--gasp--trying to access Netflix.

The New York Times reports that when the international spam tracking group Spamhaus added hosting company CyberBunker to its blacklist for allegedly disseminating tons of spam, CyberBunker retaliated by launching the largest DDoS attack in the history of the web (that the public knows about, that is). The scale of the attack is so massive that it's "causing widespread congestion and jamming crucial infrastructure around the world." So that's why that episode of Arrested Development wouldn't load.

CyberBunker is a Dutch hosting company that operates out of a former NATO bunker, and hosts any website "except child porn and anything related to terrorism," including BitTorrent site The Pirate Bay. Spamhaus claims that CyberBunker also allows massive spam networks to operate; this accusation set off the cyberattacks, which the Times warns could escalate to the point where people are unable to use normal web services like email and online banking.

When Spamhaus contacted security firm Cloudflare for help, they too became the target of attacks by the massive botnets reportedly controlled by CyberBunker. Writes The Times:

“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.”

The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.

“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”

An Internet activist speaking on behalf of CyberBunker said the attacks are due to Spamhaus abusing their power, using spam as a cover to take down websites they simply don't agree with. "Nobody ever deputized Spamhaus to determine what goes and does not go on the Internet," he told The Times. "They worked themselves into that position by pretending to fight spam."

To be fair, if you're trying to prove you don't support big spam operations, it's probably not the best idea to spam the entire Internet using your powerful botnet army.

(Photo: Blogspot)

Looks like hardware may finally be getting its chance in the sun at SXSW. [New York Times]

TechCrunch spoke to sources who were in the same fraternity with Reggie Brown and Evan Spiegel at Stanford and they corroborated the notion that Mr. Brown came up with the original idea for Snapchat. Winklevii'd. [TechCrunch]

Hey FYI, all those "free gift cards!" texts you were getting were actually spam (just in case you've never used a cell phone before). Luckily, the FTC is cracking down on 29 scam artists sending them out. [The Next Web]

Anita Sarkeesian, who became the target of trolls after daring to speak about women in video games, debuted her first episode of "Tropes vs. Women." [The Daily Dot]

Pandora's fourth quarter results were better than expected, but its CEO is still stepping down. [AllThingsD]

Fake Cord Jefferson (Screencap: Twitter)

Spam accounts are nothing new on Twitter, as anyone who has ever tweeted the words "iPad" or "sex" can attest. But another spam ring has recently cropped up on the platform, and it uses the name cache of prominent journalists, techies and celebrities in an attempt to attract followers.

On Friday, Gawker writer Cord Jefferson discovered a copycat account that lifted his name, photo and bio in order to appear as if the account was that of the real Cord Jefferson. "Ha ha. What is this? Why is this? How do I kill this thing?" he tweeted. Twenty minutes later, BuzzFeed's Andrew Kaczynski noticed the same thing. "Fuck is this account?" he tweeted.

As it turns out, Misters Jefferson and Kaczynski aren't the only media people affected by this trend. It appears that these spam accounts are also following hundreds of other spam accounts that pull the same trick, taking a real user's avatar, background photo and bio in order to make the fake profile appear legitimate.

There's one for actress Chloe Sevigny, Politico tech reporter Eliza Krigman, Harvard Business School professor Clayton Christensen and Dropbox product manager Matt Holden.

Celebrity impostors have always been an issue for social networks, which is why verified accounts exist. But the phenomenon doesn't seem to be related to a user's number of followers. Mr. Kaczynski has over 70,000, Mr. Jefferson over 8,000, and Learnvest's Allison Kade, who also has a copycat account, just over 500. The accounts all appear to be part of the same spam enterprise, since they all follow each other.

Weirder still is the fact that none of the accounts have tweeted anything yet. If the point of creating a ring of fake accounts that appear legitimate is to disseminate your spammy message, the spammers are either still building their core base of users or they haven't decided just what exactly their message is.

Users can report the accounts for spam, but that doesn't get them removed automatically. We've reached out to Twitter for comment and will update when we hear back.

(h/t Peter Sterne)

Not government sanctioned.

Many Americans may instinctively believe there's little risk in visiting any site that ends with .gov. It's the government--their sites are secure, right? Apparently not.

Sophos's NakedSecurity blog reports that spammers have discovered many U.S. sites are vulnerable to a simple exploit that sends the unwary to fake "work-at-home" websites.

The culprit is sloppy coding, which permits something called an open redirect. NakedSecurity demonstrated the ease with which a spammer can construct an open redirect:

In the following example, the link ends up at Naked Security:

http://labor.vermont.gov/LinkClick.aspx?link=http://nakedsecurity.sophos.com

In that example, just looking at the link means it's easy to tell that you are going to end up at Naked Security. But what if you shortened the link with a URL-shortener such as bit.ly?

Then you can provide a link which looks like

http://1.usa.gov/OYCBM7

It's not so easy to tell that it's going to end up at Naked Security now, is it?

No, it is not.

Spammers use this exploit to send the unwitting to ludicrous sites claiming to offer opportunities to work from home and earn as much as "$7,000 a month, part-time!"

NakedSecurity reports that the Americans targeted in this con are "the most likely" to fall for it.

Though this spam attack is relatively new, some URL shrinking services like bit.ly are already warning users away from the spam sites.

Researchers haven't detected malware associated with the fake work-at-home con yet, but as it continues to draw people who are desperate to believe such an opportunity is real, it's only a matter of time before the exploit doubles down and starts conscripting computers into some zombie horde of botnets or begins stealing vital personal and financial information.

The usual advice about remaining skeptical of unsolicited emails applies here as well, especially if they have attachments. Also, don't trust anything just because the government appears to be involved.

This guy.

In a new SecureList blog post, Kaspersky Lab researcher Vicente Diaz has described a new frontier in a relatively old online scam. Phishers, tired of building fake websites to lure victims into unintentionally giving away email addresses, passwords or even financial information are beginning to use Google Docs to siphon data from the unwary.

This approach makes it easy for spammers to bypass filters, as emails with links to a shared Google document don't get flagged, giving the recipient the illusion that the message is legit.

Mr. Diaz writes that tricking someone into entering personal data into a sketchy Google Doc is only "the tip of the iceberg":

Google Docs allows hosting other contents such as executable files in different formats, resulting in a very convenient and free hosting service for malicious content. As a bonus the connection is HTTPS by default, making it even more convenient for cybercriminals the use of this service.

HTTPS is the communications protocol that supposedly means a web page is secure and any data entered in a form on that page won't be intercepted by a cyber-thief.

The Google Docs dodge is fairly new but may not be all that rare, as spammers are catching on to the fact that it's so easy to make a target believe they're looking at a legitimate document.

Until anti-spam programs begin to learn and account for this ploy the best defense is skepticism. If you have no idea why anyone would share a Google document with you, don't even click the link.

Mr. Pike, Mark V Shaney's designer. (Photo: Flickr)

If you've spent a significant amount of time on the Internet, you've undoubtedly encountered the phenomenon of @Horse_ebooks, a Twitter spam bot that has managed to escape being shuttered by the microblogging service due in part to its weird and wildly popular form of poetry. The bot mines websites for snippets of text and tweets them a few times a day. As Gawker wrote in their oddly compelling investigation of the Russian programmer behind @Horse_ebooks, "The feed's strangely poetic stream has been embraced like a life-preserver by internet users drowning in a sea of painfully literal SEO headlines and hack Twitter comedians."

Of course, @Horse_ebooks is not the first bot to scrape texts and present its findings packaged in an entertaining and eerily human way. Before Twitter and before @Horse_ebooks there was Mark V. Shaney, a program that was so good at feigning humanity that it managed to confuse and rile Usenet group users for years.

In the fall of 1984, a pair of programmers named Bruce Ellis and Rob Pike decided to harness the basic components of a Markov chain and channel them into a fake Usenet account that could synthesize and regurgitate text. Using code written by Don P. Mitchell, the duo created Mark V. Shaney and unleashed "him" on the unsuspecting masses of the net.singles board, a place where scientifically-minded lonely hearts congregated.

According to a 1989 issue of Scientific American:

The program must first read and reflect on someone else's work. It then produces a rambling and somewhat confused commentary on the work....Although sense is conspicuously absent from MARK V. SHANEY's writings, the sounds are certainly there. The overall impression is not unlike what remains in the brain of an inattentive student after a late-night study session.

Because the program could read and comprehend punctuation, Mark V. Shaney easily composed full, grammatically-correct sentences. This further confused the lonely lovers on net.singles, who saw postings like the one below that boasted proper grammatical structure but made little actual sense:

It really galls me!  I got a BA in computer science instead of a _Finnegan's Wake_!  Did you really intend your posting to be able to improve one's life, and to win admiration -- only the second seems to matter in schools?  Granted, this clown may be the exception rather than the rule.  It seemed that the intellectuals are usually the first to be so totally off the wall?

"The human net.singles didn't catch the pesky little binary corespondent because of all the real nuts in this users group who were misdirecting -real honest to goodness damaged flesh and blood neural-nets spewing crazy flames all the time," wrote Penn Jillette in a 1991 column for PC-Computing. (Indeed, a post by Mark V. Shaney in net.med about using raw honey to treat allergies elicited an outraged response from a user named Daniel R. Levy: "This reply is inscrutable!")

Due to the nature of the program, the prosaic ramblings of Mark V. Shaney spanned some fascinating topics but always hinged on another user’s posting. But like @Horse_ebooks, the text from which it was scraped was almost secondary, and the way in which the words were jumbled and reassembled produced something strangely beautiful. Take, for example, a Mark V. Shaney review of the singer Kate Bush, which actually kind of sounds like something you would read at Pitchfork.

I consider this conversation about Kate Bush albums, fanzines, photographs, videotapes, blow-up loves dolls, and used panties (to put with the Swami), the other hand, the silly Yuppie preciousness of her hair, and the counter-question/action "what would it mean if you sat on my dorm floor as a freshman", but let's face it -- most of our incomes are much closer to that of a plumber or crane operator than that of a woman who lived on my lap.

We can't help but feel like "the silly Yuppie preciousness of her hair" could also be found in a Brautigan poem. It's this mash-up of gibberish and human sentiment that made Mark V. Shaney so endlessly fascinating.

According to Google Groups' Usenet archives, Mark V. Shaney's last post was on August 31, 1987. Called "Symbolic Links" and posted in the comp.unix.wizards group, not a single user responded to the musing. Perhaps the "computer wizards" had caught on to his antics by then.

Spam. (Photo: flickr.com/arndog)

You'd think once you cleared the political hurdles, open government would be pretty simple: Create a nice portal and upload the stats. Done and done. Well, in the interest of keeping the lines of communication with constituents open, the U.K.'s data.gov included a series of forums where anyone could submit suggestions or comments. And of course, those good efforts were rewarded with, as the BBC reports, a flood of spam advertising faux luxury goods.

A quick perusal of the forums reveals subject lines like "If this were a fairy cheap nfl jerseys" and "The cabin offers ergo baby," and the body of each post is randomly sprinkled with links to the spammers' offerings. Project head Antonio Acuña took to the site's blog to explain that while they do use reCAPTCHA, the program only stops spam generated by software and, somewhat ominously, they suspect that "human intervention is also at play."

Administrators have closed the comments while they figure out what do to. They'd probably rather be dealing with spammers than Debbie Downer comments like this, though: "I can only describe it as 'Yes Minister.' data. Harmless. Unlikely to generate controversy. Unless access is given to the raw data, this quest for knowledge is doomed." Ouch, Peter.

(Source: Flickr.com/kinopix)

Seems like the folks over at Reddit don't take too kindly to spammers. The Daily Dot reports that at least five news source domains, including some media heavyweights like The Atlantic and Businessweek, have been banned from Reddit. That doesn't just mean employees at those companies can't post links--it means that users can't post links that include atlantic.com or businessweek.com domains.

The Daily Dot writes that upon attempting to post a link from one of these domains, Redditors are "greeted with the following message: 'this domain has been banned for spamming and/or cheating.'"

Reddit admins are on the defensive: "This type of action is a last resort," wrote alienth. "Before taking such a severe action we make absolutely certain that the domains that would be affected are truly at fault."

Erik Martin, Reddit's general manager, also chimed in, writing, "These bans are temporary."

Redditors in r/BannedDomains are tossing around some interesting conspiracy theories about conflict of interest: "I wonder if we would ever see reddit ban The New Yorker (owned by Condé Naste/Advance Publications) based on the actions of one low-level editor working within extremely vague guidelines," wrote one commenter named cityroasted. "Seems like a conflict of interest for reddit to be owned by publisher and then banning their competitors."

As we wrote in today's profile of Reddit's general manager Erik Martin, Conde Nast has little control over Reddit, which was recently spun out as an independent subsidiary--but clearly the two are still experiencing some growing pains. Given the fact that the social news site nets 2.5 billion page views a month, and is a major traffic-driver, would Conde Nast really stand by if Reddit decided to again buck the wishes of its parent company and ban Wired?

As AllThingsD reports, Amazon had to issue an apology last night to Kindle owners who received a notice about automatic enrollment for a subscription to something called the Kindle Compass that: 1. they didn't sign up for and 2. "would automatically continue at the monthly subscription rate” if they did nothing. Nothing like hearing that the mere act of going about your day as usual now comes with a mysterious additional fee.

Not all Kindle owners received the email. But the ones who did were, naturally, confused. No monthly rate was mentioned and customers jumped on Kindle forums to post complaints like under rubrics like “Where is Kindle Compass Magazine?” and “Auto-Subscription to the Kindle Compass??”

Just as the Times' customer phone lines were too tied up to explain, Amazon customer service likewise couldn't help. "Even worse, those who contacted customers service said the reps weren’t familiar with the service, so the best they could do was help them to unsubscribe to ensure they would not be charged," says AllThingsD.

In the email apology that went out to customers hours later, Amazon explained that the Kindle Compass was a pilot project and apologized for confusion about subscription prices:

This morning we sent you an email regarding The Kindle Compass, a new free publication built by the Kindle editorial team that we’re piloting to a small number of Kindle customers.

This email incorrectly referred to The Kindle Compass as a subscription with a free trial. We built it to always be free for customers, and you will never be charged for it. We apologize for any confusion.

If you wish to unsubscribe from the pilot for The Kindle Compass you can do so from a link in the last section of the magazine, or from the Manage Your Kindle Subscriptions page at www.amazon.com/manageyourkindlesubscriptions.

What, no apology for the automatic, opt-out subscription part?