We all know that there is a certain amountof risk we have to accept when we place personal information on a Website, including the possibility that someone may use that informationwithout our explicit permission. We also know that social networkingsites are becoming increasingly popular as more and more people enjoythe convenience with which to re-establish and maintain contact withlong lost friends, distant relatives, and work colleagues. Well, now itseems as though you don't even have to go to the trouble of signing upfor a profile with one social networking site or even provide content -they can do it for you!
Douglas Rushkoff, an author and documentarian from the UnitedStates, was momentarily confused when he started receiving a suddenburst of NDR (non-delivery report) emails informing him that a numberof emails he had previously sent could not be delivered - particularlywhen he did not remember sending any such emails. And these particularemails all appeared to share a common subject and message body:
--------------------------------------------
Subject: Join my network in the JaseZone
...
,
I'd like to add you to my network in the JASEzone.
- Douglas (Rushkoff)
Learn more about me: http://www.jasezone.com/JZ/Rushkoff
www.jasezone.com 1/18/2008 9:15:57 PM
--------------------------------------------
Clicking on the "Learn more about me" link in the body of the emaildirected Mr. Rushkoff to his "JaseZone profile," consisting of hispicture, his date of birth, and a direct copy of his biography from hispersonal Web site. The profile even contained the date and time of hisapparent last login onto the JaseZone site.
Mr. Rushkoff contacted the administrators of JaseZone via email torequest an explanation regarding this social networking profile he hadnever created nor requested. In one of their responses the JaseZonerepresentative commented that they were "able to Google your (Mr.Rushkoff's) name from your voice mail and within two clicks able togain your contact information." So it seems they are more than happy todescribe some of their information gathering techniques used to collectvictims' personal details. But they do not seem as happy to provide anactual explanation of how profiles are created without the knowledge ofthe victim and why, in this case, emails purporting to be from Mr.Rushkoff have been sent to a number of random email addresses.
JaseZone appears to be creating user profiles by scraping theinformation from victims’ personal sites, blog entries, and otheronline submissions. This is followed by a spam emailing run in anattempt to try to increase the number of visitors to the site, probablyfor revenue generation via advertising. The apparent inability of usersto send external emails from within the JaseZone system lends moresupport to the argument that the invitation emails have been sent byJaseZone rather than the user themselves. And while it is possible thatsomeone unrelated to JaseZone created this account in Mr. Rushkoff'sname, the fact that the profile information was directly copied fromthe victims' personal Web site suggests that this is not the case. Arange of active JaseZone accounts share the same characteristics - theyappear to be carbon-copies of information obtained from the victims'legitimate Web sites.
These kinds of activities will become more prevalent as socialnetworking sites continue to rise in popularity. We must never forgetthat once we make information about ourselves publicly availableonline, we lose exclusive control of that information.
Symantec contacted JaseZone to request further information on howJaseZone profiles are populated and also for information on themechanism with which registered users can invite friends to view theirprofiles. We haven't yet received a reply.