It's been reported that there has been another wave of Snapchat spam messages being sent. Like the attack which we covered in January, users are reporting that they've received a new wave of weightloss scam snaps. This type of scam normally works by enticing the user to go to the websites and buy pharmaceutical/weight loss products. These latest attacks have apparently been sent by real compromised accounts, as users are receiving them from their contacts and reports from Snapchat - as quoted by the BBC, are they believe that the details to access these accounts have come from other breaches:

"We have seen evidence that hackers who have access to a trove of credentials leaked from other websites, have started using them to gain access to Snapchat accounts,"  

Which exact websites Snapchat refers to is unclear. While it's been suggested by some that Gmail-like leaks may be responsible, one other obvious contender in many people's minds is the large scale breach Snapchat suffered at the start of the year. This occurred when they ignored reports that existing security holes could pose a threat, and promptly had their user details hacked and around 4.6 million user names from the USA and Canada being made public on the SnapchatDB.info website. We covered this in depth at the time, focusing on the distribution of the phone numbers from the breach - showing that some states were more badly affected than other (if you were a Snapchat user with a Colorado cell-phone at the time , your details were obtained). We did this analysis as from first-hand experience we know that problems and leaks on other messaging bearers can directly affect the work we do on mobile messaging such as SMS and MMS, and sure enough in a subsequent follow-up we showed that statistically the SnapchatDB leaked phone numbers received more text message spam after the breach than beforehand. 

But whether the SnapchatDB leak on its own lead to access to user accounts, and so Snapchat spam to be sent, is actually very doubtful. What seems more likely, as Snapchat has referenced in their answer, is that spammers may have combined it with other sources, such as passwords or email addresses from other hacks, to try to guess access. However we have seen first-hand in mobile messaging it can be very hard to tell sometimes how exactly hackers have obtained access to accounts they shouldn't have and so other factors may be at play as well. In either case, if the hackers have developed a system or have access to a trove of credentials, then we can expect spam attacks to continue for a while.   

It seems that Snapchat is in the unfortunate position now of sustaining a spam industry. Even before the initial weight-loss attack they suffered in January, Snapchat has faced a series of other spam attacks. We have classified these attacks into several groups:

1) Adult based spam. Inevitably the earliest type of spam to try to target any communication system, on Snapchat this is broken down into several types: 

  • Snapcrush spam: This seems to have been the first seriously reported Snapchat spam, and started in November 2013, it contained a link to a simple dating site (snapcrush.com) which was also registered in that month
  • Pornbot spam. This is primarily Kik-related spam, which is done by sending snaps to people asking them to contact Kik Messenger accounts. These Kik accounts are invariably pornbots that will initiate a conversation and then try to get the user to signup for a chat room. We shared details on the origin of these senders and their lineage recently. This type of spam was reported since mid/late January 2014, although may have been active earlier. Another attack featured skype pornbot related Snapchat spam that was publically addressed by Snapchat in mid April. Surprisingly (or not - depending on your point of view), this post is not on the main Snapchat blog feed, you have to search for it directly.   
  • Generic Dating Site spam. This type of spam was seen at least since June 2014. It differs from the others in that the link (NewVerified .com) points to an appfly.mobi website which contains links to various apps in google play. These are all legitimate apps, so how this spam makes money is that is an affiliate type scheme, where the spam senders gets paid per app install.

 

2) Pharma type scam, which as well as including the original attack in January & the current attack being reported now, also included a bizarre Smoothie spam attack in February, whose snaps contained links to websites such as frootsnap .com or snapfroot .com. These redirected to fake Groupon-like websites to offer weightloss supplements. This was also sent by real compromised accounts indicating this is the system of choice for this attack. Below you can see the evolution of this type of spam.

 

  

3) Fake goods/advertising type scam. Primarily a fake luxury good type attack, this has been active since at least mid-January, and followed shortly after the Weightloss-spam attack in that month. It relies on 'humour', and points to websites such as RexRep.com that sell fake luxury goods such as Rolexes. Certain similarities between the method of execution between this and the weightloss type attacks indicate they are linked.  

There has also been other reports such as giveaway type attacks, these don't seem to have been as large but again it indicates an evolution of the spam ecosystems on Snapchat. The presence of at least 2 different spammer groups active on Snapchat, if not more, means that the targeting of Snapchat users is well established now. As a result it becomes considerably more difficult to eliminate it completely. Snapchat have since already taken some of the obvious steps such as making it more difficult for an automated attacker to create multiple accounts, but as the recent attacks have shown clearly there are still methods to obtain unauthorised access to other accounts and send spam from their Snapchat account.

Snapchat have reported in many instances they have already notified users that their account has been compromised, in general, it's a good idea for any user who suspects that his account has been used to send spam, that they change their password, preferably to one unique and complex. The next steps that needs to be taken by Snapchat are to look at ways to make account takeovers more difficult, to put in methods to identify and block the spammers when they are active, as well as an efficient system of easily reporting Snapchat spam when received. As a company that specialises in messaging spam detection and blocking on multiple bearers we know better than most the difficulty of doing all of this, but as our results have shown in the US it is possible, as SMS spam is now a fraction of what it once was, and many criminal organisations that used to rely on text message spam have moved on to other messaging bearers. It's possible for Snapchat to address this threat, and shift those stubborn spammers.