Instant messaging spam, or spim (Spam over IM), is not something I have a lot of experience with. However, yesterday (Thursday, March 11), Microsoft announced that it reached a settlement with Funmobile, a company it sued last July, accusing it of using its service to spam users. From ZDnet:
Microsoft said on Thursday it has reached a settlement with Funmobile, the Hong Kong-based company it sued last July over accusations that Funmobile was using instant messaging spam to trick users into giving up their account information.
The software maker said it has obtained an injunction against Funmobile requiring it to refrain from 'spimming' — sending IM-based spam — to customers or contacts of Windows Live Messenger, and to make a cash payment to Microsoft.
"The successful resolution of this case sends a clear signal that Microsoft does not tolerate abuse of its networks, and we will continue to take action to protect our customers," said Microsoft associate general counsel Tim Cranton in a statement.
Microsoft had accused Funmobile of targeting users on its Live Messenger network to gain their personal information. Live Messenger has more than 320 million users, according to the company.
In the suit, Microsoft cited a number of attacks, including IMs that appear to be coming from users the victims know [TZ – emphasis mine]. It also described phishing attacks that mimic the look and feel of an outside service or an official Microsoft support page.
The company said the successful use of these tactics allowed third parties to obtain these users' personal account information, then exploit it by sending mass spam and phishing messages to the contacts of those users.
"Such attacks on instant messaging services are more than just a nuisance; they are a threat to user privacy," said Cranton.
Technically speaking this is not phishing since phishing, by definition, is the attempt to trick somebody into providing financial information. The tactic is here is known as spoofing and belongs to the broader area of attack known as social engineering. It plays on the psychology of brand recognition. Companies like Coca-Cola rely on their brand to sell their product around the world. People feel good when they are in a foreign place but see the familiar logo of Coke; they are in a restaurant, and so they order one (note: I do this regularly when I travel outside of the US and Canada). Images of familiarity when we are in unfamiliar territory causes our brains to release chemicals – endorphins – that make us feel good. That comfort level breaks down some of our barriers.
If we were to see a message coming from someone we don’t recognize, instantly our guard is up and we are less likely to be complicit in a spammer’s (spimmer’s?) request. However, by impersonating somebody we know, if we don’t realize right away that this is a spoof, our brains release endorphins and we enter a more suggestible state. This is because we recognize the brand of our own personal social network. We like to talk to people we know; we are comfortable with them and therefore our guards are down. The chances of us being more complicit in the release of private information is higher when we are more suggestible.
This isn’t Cranton’s or Microsoft’s stance, however. It’s more of an incidental. The greater point is that Microsoft has Terms of Service and abusive users of its service are subject to being shut down. This also plays into Gary Warner’s blog post where he advocates that “bad guys need to stop worrying about having to lease new servers, and start worrying about the long arm of the law knocking at their door.” While Microsoft’s actions in this case is not about using law enforcement to shut down a botnet, they aren’t far away from it by using the legal arena to force an abusive service to stop doing it. Hopefully, this will cause Funmobile to think twice before they start “phishing” other users. Hopefully even more, it will cause other services like Funmobile to do the same.