2011-07-01
Abstract
‘Tumblr is definitely a hot property for scammers, and users should be very careful.' Christopher Boyd, GFI Software.
Copyright © 2011 Virus Bulletin
Recent statistics show that the four-year-old Tumblr blog-hosting service now has more users than the eight-year-old Wordpress. Given such popularity, it should come as no surprise that the service is coming under fire from scammers and spammers, and users of Tumblr would do well to steer clear of the following examples to keep their accounts safe from harm.
1. Reblogging scams
Reblogging content is the heart and soul of Tumblr – however, it’s easy to fall for viral scams based on chain letter tactics. Messages warning ‘Your account will be deleted if you do not reblog this’ are common – some reaching as many as 137,000 ‘notes’ (which includes comments and reblogs). The situation is not helped by the fact that those who are more security-aware can only warn other users about the scam by reposting the original message. The above example actually linked to a Japanese disaster donation post by the Tumblr staff, but users were more eager to reblog than to check the source.
Reblogging a scam wouldn’t look good from a corporate account – especially if you fell for the recent ‘Reblog this to get a free giraffe from the Tumblr staff’ hoax.
2. Sockpuppet attacks
For various reasons, Tumblr users tend to come under attack every so often from malicious users who create large numbers of sockpuppet (bogus) accounts, then follow legitimate users. The idea behind the attacks is that the legitimate users follow the sockpuppet back, at which point the attacker posts gore/shock images. When this happens, the legitimate user will see those images displayed on their ‘dashboard’ (which is effectively their Tumblr homepage, and the way in which Tumblr users see content posted by the people they follow).
If you are in charge of managing your company’s Tumblr account, this is not content you want to appear on the corporate network. Always be wary of randomly named accounts (which often have no avatar) that follow you. If in doubt, don’t feel under pressure to follow another user back.
3. Random content
Although not usually quite as serious as the sockpuppet attacks, even legitimate Tumblr users can (and do) post random content. This can range from landscape photography to pornography. As the latter isn’t something you would want on your corporate network, think twice about the users you follow (if any) from a corporate account.
4. Spam attacks
Spam attacks tend to come in waves. A recent collection of Tumblr blogs promoted a so-called ‘Tumblr IQ Test’. When clicked, the user would be directed to various offers and promotions. Unlike the sockpuppet attacks, the profiles that were hosting these ‘IQ test’ links appeared to have been legitimate accounts until the spammy links were posted – which suggests that the spammer may have been using stolen login credentials. It goes without saying that you should keep your Tumblr login safe, and also ensure that you use different logins for all sites. The recent spate of logins stolen and released in the wild should be ample illustration of why it is important not to use the same credentials for multiple sites.
Tumblr is definitely a hot property for scammers, and users should be very careful. We recently uncovered a phishing scam that lured users in with the promise of hidden pornography. Further exploration of the sites involved revealed up to 8,000 stolen accounts sitting on one of the phishing URLs. How many of those users recycle passwords on everything from email to Internet banking? And how long will it be before Tumblr-specific malware arrives?
