Tumblr Succumbs to Chain Spam Scam; Crayon Makers Cheer

The popular reblogging site Tumblr has seen a marked uptake of users roped-in by a threatening message, according to GFI Labs’ Jovi Umawing.

crayonsDid you ever wonder why spam scammers waste their time barraging people with messages that seem, well, just plain dumb? Surely they aren’t doing it because, for the sake of their health, the spammers’ doctors told them to get out and annoy people three times a week. So we’d like to think, anyway. But the level – or lack thereof – of ingenuity seems to prove the point that these guys aren’t the sharpest pencils in the box. Take a look at some evidence, this from Pedro:

FROM: Pedro
Subject: CONGRATULATIONS!!

Dear Email Owner,

We happily announce to you the Email Support Programme results which you were declared a winner in the Email Draw Category. You have therefore been approved to receive the sum of Ђ500,000.00EUROS. To receive this prize money, send an email Mr Carlos Pedro. Mr. Carlos is expected to process your prize payment immediately he receives an email from you confirming receipt of this message.

Email: (address removed to protect the guilty)

Not very personal, is it? Or well thought-out. Is this from Pedro or not? If so, why does he refer to himself in the third person? Is Pedro his first or last name? Depending on where you read, it is both. And why all the generosity? As of this morning – if my Junk e-Mail folder has anything to say about it – I am worth more than Bill Gates and Steve Jobs combined. And here I thought I had to work for my money. Of course, the tricky part will be collecting all my riches.

Seriously, why? Why would (does) anyone buy into the sheer stupidity? Clearly, this is junk, sent with no actual identification or acknowledgement of the recipient. To some, sending this may seem like futility to the point of being ludicrous. Why would anyone waste their time constructing and sending something that looks like the first draft was done in crayon, right after recess and just before nap time? In fact, this very real spam email, sent from an obscure address and without a lot of redeeming things to say about it, is totally harmless by virtue of its lack of imagination. If a barometer was the measuring device, this message would indicate sunny days ahead.

But when spammers get it right, the barometer spikes to unprecedented levels: showers with a chance of Armageddon. Take, for example, an interesting article written by GFI Labs’ Jovi Umawing, who blogged this week about the popular site Tumblr.com, and how it has been inundated with a Tsunami-like wave of users who, upon receiving a message that threatened to cancel their accounts if they didn’t click, did just that. They clicked. As of May 16th, that amounted to more than 137,000 of them.

If you’re not familiar with Tumblr, it’s a site that’s part blog, part social media. In fact, as Umawing reports, “it’s not exactly like Twitter, nor is it a Facebook or a YouTube. It does a little bit of all three, actually, and for many Tumblr is in a league of its own.”

Tumblr is a reblogging site, which means that users, upon reading or seeing something that they think is worthwhile, can repost to their own wall. According to GFI’s Umawing, that functionality – easy to use and light on the number of clicks – makes sites like Tumblr a perfect target for spammers. This week, The Register picked up on the story, stating that, “the fake messages falsely warned that ‘your blog will be deleted unless you repost this’ note, which claimed that Tumblr was drawing up a list of inactive profiles.”

The spammer’s biggest tool in his arsenal is fear, and it seems that Tumblr users stumbled right into the trap. In fact, the Tumblr spammers seem a little more savvy than Mr. Carlos above, seemingly keying in on the fact that Tumblr’s interface doesn’t allow for easy flagging of the scam. According to The Register, “the Tumblr chain letter took advantage of a shortcoming in the reblog function on the site that meant that more clued-up users could only warn about the scam by reposting the dodgy message themselves.”

“Even then,” writes GFI’s Umawing, “those users had to reblog the message so they could leave their ‘This is fake’ comment – a Tumblrrestriction, you usually have to reblog to leave a comment – which doesn’t exactly help matters.” The Register quotes Umawing as saying that, “the only way users can really warn others is by adding a note to the comments, and the only way to do that is to reblog the original message, thus spreading it further.”

Now, this is nothing new. Facebook and Twitter have been targets for a long time, with some success. It’s not remarkable that another social networking site has been targeted for spamming, or even that a relatively large number of users took a giant bite out of it, hook, line and sinker. It’s not even remarkable that a flaw, albeit minor, in Tumblr’s interface actually added to the problem by helping propagate the spread of the spam. Facebook, in particular, has come under scrutiny for its moving target of an interface and ever-changing security levels. No, what makes this story interesting is just how remarkably simple it is to entice people to click. It doesn’t have to be elaborate. It doesn’t even have to be sophisticated. It just has to scare them a little.

I, for one, hope that the Mr. Pedros of the world don’t pick up on just how truly easy it is. The run on crayons might cause a worldwide shortage.

Leave a Reply