We already had online virusses and worms, now we got paraSites too.
The word ‘parasite’ comes from the Greek ‘parasitos’ (but then in Greek) which means ‘person who eats at the table of another’. In general we use parasite to refer to “an animal or plant that lives in or on a host; it obtains nourishment from the host without benefiting or killing the host”. I first heard of web paraSites on the APWG mailing list, used by Russ McRee from Microsoft (working at Live Messenger looking for malware and phishing sites) to refer to a sites which are:
“service” offerings designed to see who has blocked or deleted your IM alias from their messaging contacts. These sites always have significant disclaimer language, and often disclose that they will send SPIM (SPam over Instant Messenger) to your contacts if you enter your Live ID credentials.
One such example he gives is finecommunity.com which bluntly asks for your Microsoft Live ID and has a very dry Terms Of Use at the bottom of the page, which nobody ever reads, and which ends with:
To unsubscribe from our services you just need to change your Windows Live password.
This is all too familiar on the Twitterverse. Due to the lack of a decent authentication api for Twitter (until recently, they now support oAuth, but the damage has been done), a lot of Twitter related services have popped up asking for your Twitter username and password. But even besides Twitter, other social networking sites would ask for your Gmail or Hotmail credentials to “find your friends” and “invite them”. This isn’t phishing (for your credentials), they just ask them from you so they could “help” you. There have been plenty of instances where these services would add spammy content and links to for example your Twitter stream, or send out emails to your contacts, automatically (because that’s part of the service they offer). Those too are what you could call paraSites, living off of your account.
Even right before I started writing this post I encountered such instance: the HP Touch the Future Now contest, which tells you to twitter about the future (or rather answer some weekly questions on Twitter) in order to win and asks for your Twitter username and password. The T&C doesn’t say anything about spamming your Twitter account. It does say if you don’t provide the required details, you’re disqualified. And that it may pass your personal information to related bodies corporate and agencies assisting with the contest. But why would they need your Twitter username and password? Just tell people to tweet and reply to @hp_<whatever>. Would you trust HP with your Twitter username and password? Didn’t people get bitten before by one of those other “services” wanting your credentials? This might well be a lack of understanding of social media on the part of HP and their marketing team, and they actually mean no harm (as in they won’t spam your Twitter stream). Or at one point in time they might just suck the life out of your Twitter account!
