The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Thursday, July 09, 2009

Tagged.com ups the ante, phishes more aggressively

Two years ago, I wrote about the social networking site tagged.com and the way they were phishing for users' email accounts and passwords in order to rope more users into signing up on their site so they could phish for their email accounts and passwords and so on and so forth.

The article received a fair bit of buzz and it looks like the problem is still ongoing.

A month ago, a Time Magazine reporter wrote about how he had been duped into visiting Tagged by a false email supposedly from a former colleague claiming that the colleague had posted photos on Tagged. The reporter logged onto Tagged and was phished of his email credentials. The photos he had come to see had never existed. Subsequently everybody on his contact list was then sent more fake emails inviting them to look at more non-existent photos.

Yesterday, ABC News had an article reporting that the New York attorney general's office is now investigating Tagged for identity theft in violation of New York state law.

From the article:
[Deputy counselor and special assistant to New York Attorney General] Benjamin Lawsky told ABC News that the attorney general's office believes Tagged.com's messages constitute a "really virulent form of spam" and that the actions were not likely a mistake -- and, he says, even if they were, the activity went on for more than three months and had the blessing of the company's CEO, even after the site received complaints.
Tagged is now on notice that it will be sued by the attorney general's office unless they can come up with a good reason why they shouldn't be.

Meanwhile, Tagged CEO Greg Tseng has posted a blog article assuring their readers that they would never, ever do something like this on purpose, that it was all a terrible mistake which they corrected as soon as they were notified.

Update: The Attorney General's office has a press release. In the AG's words:
Between April and June this year, Tagged sent tens of millions of misleading emails to unsuspecting recipients stating that Tagged members had posted private photos online for their friends to view. In reality, no such photos existed and the email was not from their friends. When recipients of these fraudulent emails tried to access the photos, they were forced to become a new member of Tagged. The company would then illegally gain access to their personal email contacts to send more fraudulent invitations.
...
Tagged made their invitational emails appear to have been sent directly from members’ personal email accounts, instead of from Tagged.com. The emails falsely stated that “[name] sent you photos on Tagged.” If a member had added a personal image to the website, Tagged also included that picture in these fraudulent email solicitations. Many consumers were unaware that Tagged accessed their email contact lists.
Greg Tseng, founder of Tagged has responded on his blog again:
... In no instance did Tagged access a person’s personal address book without their consent and no emails were sent without the person giving us permission. We realize that some were confused and accidentally agreed to invite their friends. We are truly sorry for any inconvenience or frustration that these people experienced
It's not entirely clear to me how Tagged plans to explain the fake "so-and-so posted a photo for you" emails, when no such photo even exists. I look forward to hearing their explanation for it.