image placeholder

A dark force, unleashed online

By Gareth Cook at Boston Global, January 08, 2012

THERE IS a new kind of threat gathering online.

Until now, the story of the Internet wars has been a tale of escalating software. Shadowy criminals (or bored teenagers) design code which infects a computer, or spits out spam, or steals credit card numbers. They get better and better. Our protectors, meanwhile, struggle to keep up, designing programs that build protective walls around our computers, and filter the lottery notifications and Nigerian petroleum appeals from our inbox.

But the crucial ingredient of a novel form of attack, recently detailed by computer scientists in California, is not software, but people. Large and growing numbers of mercenaries are being hired to help twist the landscape of social media – to write rave reviews of products, post convincing spam, set up accounts on social networks, or perform other tasks. This gives their employers new ways to do everything from legally questionable marketing to outright theft.

China appears to be the epicenter of this new black market, which is running to the millions there annually, but it has also arrived on our shores, according to Ben Zhao, an associate professor at the University of California, Santa Barbara, whose detective work has shed light on what is happening.

What Zhao and his team have found is darkly fascinating. It’s a reminder of the forces being unleashed as the world, with its massive economic disparities, is connected by the Internet. It also serves as a warning: As we hurdle headlong into a world shaped by social media, profits and power will accrue to those who know how to play the puppet master.

Zhao tells me he gained his first look into this world while doing research on RenRen, a Chinese version of Facebook. RenRen provided him with a large set of accounts it had shut down for abuse, such as spreading spam or viruses. As Zhao and his graduate students looked through the blocked RenRen profiles, though, they found that many looked quite convincing, nothing like the usual computer-generated nonsense. People just glancing at one of the profiles would probably think it came from a real person; they might read the opinions, and perhaps click on a link or two.

“They looked too real,’’ says Zhao, “to be machine-generated.’’

The accounts were the product of what Zhao has dubbed “crowdturfing’’ – a combination of “astroturfing’’ and “crowdsourcing.’’ Astroturfing is an older term which refers to fake grassroots efforts, like secretly paying people to send notes to their senator in favor of a bill. Crowdsourcing is outsourcing to a crowd – a form of mass collaboration in which someone puts out a public request for help with a large number of well-defined tasks.

Combine the two and you get websites such as one called Zhubajie in China, which publishes offers for work like singing the praises of a particular dress on social media. The pay for each of these jobs is measured in pennies, but Zhao says there are some people earning several thousand dollars a year, a living in China. And the activity is growing quickly. Zhoa’s computer surveillance found about 100 crowdturfing campaigns advertised per month on Zhubaijie in 2007, and recently it was nearly 10,000.

This may all seem distant and relatively benign. But it is neither.

Crowdturfing operations are starting up in India, where there are plenty of people with English skills, and the lack of economic opportunities, to make working in American social media practical.

This rise of this new technique means that any web service with user accounts – from eBay to Twitter – can be readily invaded in large numbers. That will be a potent tool for purveyors of commercial and political propaganda. It will also make it easier for criminals to spread malicious software. Being on Facebook or Twitter can lull you into complacency. You have a sense that you are among friends. But know this: one of your new friends could be a teen on another continent, working for pennies on the hope that you’ll make one false click.