Facebook CEO Mark Zuckerberg speaks in September. The site's large user base makes it a hacker target.

Story highlights

Facebook porn spam casts light on site as a target for hackers

Security analyst says the site could do more to prevent attacks

Facebook calls security a top concern, has rolled out multiple prevention initiatives

The site also has sued spammers, leading to millions in court penalties

CNN  — 

The wave of pornographic and violent images that flooded Facebook over the past few days has drawn attention to a side of the social networking mega-site most of its users don’t think about:

Facebook is a coveted prize for hackers.

“It’s hard to put it into perspective as to how good a job they’re doing (at preventing spam), because they have a giant target on their back,” said Chester Wisniewski, a senior analyst with security firm Sophos. “They have a giant target on their back with the user base they have. Every spammer’s got a dream of catching them.”

In this week’s attack, a hack that exploited security flaws in some Web browsers sent images of porn, Photoshopped pictures of celebrities in compromising positions and images of intense violence to millions of users, according to Facebook. Users apparently were duped into copying malicious code into their browser windows, helping the images spread.

Many Facebook users were outraged by the fact that porn made its way onto the social network. On one hand, the offensive images call into question Facebook’s ability to rein in spam as it becomes more popular. On the other, it’s a counterintuitive testament to Facebook’s spam-fighting abilities that users were surprised to see these nasty images showing up on the social network.

If this happened on e-mail, after all, no one would blink.

Less than 4% of the content shared on the Facebook is spam, Facebook says. Compare that with e-mail, where a whopping 89% of content is spam, as CNN partner site Mashable reports.

Less than 5% of the site’s members experience spam on any given day, Facebook said in October. Meanwhile, only 0.06% of its 1 billion log-ins per day are compromised, the site says. (Of course, that’s still 600,000, so someone could shade that number to make it sound miniscule or huge, depending on intent.)

To Wisnieswski, the way Facebook responds to spam and other hacks is a mixed bag. Generally, he says, they’re quick to jump on the big problems but slower on the day-to-day stuff.

“If it’s malware-related … scams and spam and things like that … they’re pretty good about it,” he said. “They’re very conscious about the fact that they don’t want their users to be infected.

“But with the survey scams and things, they don’t seem to be that effective.”

Facebook, of course, is far more likely to agree with the former point than the latter.

Spokesman Andrew Noyes says that, on a site under virtually constant attack, the Facebook team is constantly working to protect its users.

“We believe the security fight requires a multipronged approach,” he said. “In addition to our dedicated legal team, Facebook also has security experts and engineers focused on the integrity of the site. We’re continuing to build systems to prevent and respond to spam attacks. Our User Operations team also works around the clock to identify problems and assist those affected.”

Noyes said Facebook’s security team has identified the hackers behind this week’s attack and are “working with our legal team to ensure appropriate consequences follow.”

In recent months, the site has launched several public tools and initiatives trying to stay ahead of the inevitable attacks.

Last month, Facebook announced two tools it’s testing: Trusted Friends and App Passwords. Trusted Friends would help users get back into their account if their password is changed without their knowledge. App Passwords would add a layer of security when users approve third-party apps.

This summer, Facebook launched a “Bug Bounty” program that pays people for reporting security problems, and a suite of security tools rolled out in May includes “clickjacking” protection and remote log-ins. In January, users got the ability to surf Facebook with a secure browser setting.

“We work regularly with analysts, engineers, fraud experts, and security investigators to prevent abuse, defeat criminals, and help maintain Facebook as a trusted environment,” Noyes said in an email.

In fact, there are some built-in advantages to the way Facebook works that help keep the level of spam lower than with e-mail, a relative Wild West for spammers and scammers.

As he pondered upcoming changes to Facebook messaging last year, Craigslist founder Craig Newmark noted in a blog post that the site’s requirements for creating an account help.

“The deal is that a Facebook identity (profile) pretty much ensures that there’s a real person behind it,” Newmark wrote. “It’s possible to fake a Facebook identity, but it’s a fair amount of work, way more expensive than getting a new Gmail or Hotmail account.”

While acknowledging those efforts, Wisnewski says there are still some holes in Facebook’s security game.

A major one, he says, is the Facebook app development process.

Facebook CEO Mark Zuckerberg has publicly celebrated the millions of third-party app developers registered with the site. But that means there are millions of people who get expanded access to Facebook data just for paying a nominal fee.

“Because Facebook doesn’t verify anything about you or have any human review process at all … we see these guys create hundreds of developer accounts for the same scam,” he said.

Wisnewski also wishes Facebook would add additional layers of security every time users start up an app.

“If they really want to get a grip on this, there are a few things they could do – but the things they could do, by Zuckerberg’s worldview, would slow down innovation.”

All that said, Facebook has a track record of aggressively going after scammers and spammers once they’re caught.

In August, self-proclaimed “Spam King” Sanford Wallace was indicted in a California court. Two years ago, Facebook sued him and a federal court ordered hi