Websense Is Facebook’s Bug (And Spam) Exterminator

Out of the 1-2 billion links shared each day on Facebook, plenty are bound to be spam. The social network just hired Websense to help with that. Here’s what they’re up to…

Websense Is Facebook’s Bug (And Spam) Exterminator


Facebook is a tricky place to play spam cop. Its whopping user base, and status as a global hangout where people connect–and share, share, share!–makes it a prime target for malicious attacks by spammers, phishers, and other web mischief makers.

A few weeks ago, Facebook became a safer place when it entered a formal partnership with Websense, a security company, and enlisted its ThreatSeeker Cloud to swat spam. The system checks every external link shared on Facebook. It’s a plum gig for Websense, but it’s also the first time that Facebook has given full access to a security company to check everything that goes up on the social network.

Websense has been working on cybersecurity for 15 years, constructing personal security products for the users of social networks like LinkedIn and Twitter, and various blogs and email servers. It protects documents on and off the cloud for big businesses, and develops products that keep networks safe.

In the past, Facebook (and companies like Google and Mozilla) have invited independent “exterminators” to make their sites and services bug-free. Non-Facebook employees who are security experts, for example, were invited to pick at Facebook’s innards and won rewards for spotting kinks in the system’s code as part of the company’s Bug Bounty program. Three weeks after their most recent “bug-a-thon” started, Facebook had paid out $40,000 in “bounties.”

To be fair, these security experts were working on a different class of bug, not spam or phishing issues necessarily–bug hunters were looking for systemic snags in the architecture of the code which would let security threats creep in and personal information seep out.

Websense’s role is to protect Facebook users from deliberate attacks introduced by users as external links. Because it has access to every link posted, ever, this approach decreases the risk of spam attacks getting out of hand, and offers a heightened level of security that could make the social network uniquely attractive to businesses who want to use it connect with customers but hesitated to do so because of security issues in the past.


Charles Renert, senior director of security research for Websense, told Fast Company:

“Over 60% of the customers we surveyed allow access to social networks. But in the next year or two, it’s going to to be in the 90s. [When businesses consider using Facebook more] this added data security layer is going to be crucial to allow broader access to their employees.”

Unlike threats on email servers, or an individual’s computer, where a user would need to download something to be attacked, spam threats on Facebook are shapeshifters. They can quickly spread from user to user via shares, and can exist stealthily for a very short time before disappearing. This makes larger corporations wary of using the service. They don’t want to expose their Facebook followers, or employees who access Facebook from work, to any security problems.

One of Websense’s recent clients, the Kennedy Center for Performing Arts, contracted the security company specifically so that employees could continue to use social networks at work, while keeping their machines risk-free.

Renert explains: “The kinds of attacks we’re talking about here are socially engineered–they might be videos, or a status update, or a link in a web-chat, that are designed to draw you in and type in a password. The degree of social engineering is higher [than with email].”

Facebook gets a few posts a day from a majority of its 750 million plus users. Analyzing an estimated few links per user, that’s somewhere between a billion and 2 billion links a day. Websense scans “more than several hundred million new links each day” in Facebook link traffic. It knows where each link comes from, geographically, and what sites the links lead to, then compares these links with a hit list of known villains. The Websense system notifies a user if their link is potentially dangerous, but the company still can’t see who the end users are–Facebook’s privacy policy keeps users’ personal info bolted down in this case.

While several hundred million to 2 billion links a day looks sizeable, that level of link policing is little more than a sneeze for a company with as much experience as Websense, Renert claims. Facebook’s big, sure, but it only makes up a small percentage–under 10%– of the traffic on Websense’s servers now, with the real-time recon on each link taking place in a matter of milliseconds.


The partnership between Websense and Facebook began as an app exercise four years ago. Websense created an app called Defensio, which individuals could buy for added protection of their Facebook page. (A version of Defensio now offers spam protection against blog sites like WordPress and some developer platforms.) The big difference now, with the Facebook-wide partnership, Renert says, is that Websense has a reach of the whole site. Also, it’s free to use.

In comparison, other social sites are still working without a global spam patrol. Twitter, which is used for pervasive link sharing, has given its recent link-shortening service the added responsibility of spam checking. The service checks a link posted on Twitter against a list of known threats. That spam-stop works with users on clients like TweetDeck, too.

Twitter does not have a comprehensive security watchdog partner like Websense at the moment, but a company representative emailed Fast Company to say that they are “always open to working with organizations and getting data feeds from groups that can provide us with more insight into bad actors.”

Renert sees an opportunity there. He believes that “other social networks could benefit from a broader security on their property,” and that could be particularly true of link-crazy Twitter.

[Image: Spam sushi, flickr user Bandita, and Bug, flickr user CJ Sorg]

Nidhi Subbaraman writes about technology and science. Follow on Twitter, Google+.