Watching the battle between Facebook and Facebook spammers


I am watching the continuing battle between Facebook and Facebook spammers with detached amusement. When I see a spam link posted to a friend's Facebook wall, I like to go and figure out how they got fooled. Internet Explorer's InPrivate Browsing comes in handy here, because I can switch to InPrivate mode before visiting the site, so that the site can't actually cause any harm to my Facebook account since I'm not logged in and it doesn't know how to log me in.

The early versions were simply Web pages that hosted an embedded YouTube video, but they placed an invisible "Like" button over the playback controls, so that any attempt to play the video resulted in a Like being posted to your wall.

Another early version of Facebook spam pages sent you to a page with an embedded YouTube video, but they also ran script that monitored your mouse position and positioned a 1×1 pixel Like button under it. That way, no matter where you clicked, you clicked on the Like button.

A more recent variant is one that displayed a simple math problem and asked you to enter the answer. The excuse for this is that it is to "slow down robots", but really, that answer box is a disguised Facebook comment box. You can see the people who fell for this because their Facebook wall consists of a link to the page with the comment "7".

My favorite one is a spam page that said, "In order to see the video, copy this text and paste it into your Address bar." The text was, of course, some script that injected code into the page so it could run around sending messages to all your Facebook friends. The kicker was that the script being injected was called owned.js. (The spam was so unsophisticated, it made you copy the text yourself! Not like this one which puts the attack string on your clipboard automatically.)

I started to think, "Who could possibly fall for this?" And then I realized that the answer is "There will always be people who will fall for this." These are the people who would fall for the honor system virus.

Update: On May 20, I saw a new variant. This one puts up a fake Youtube [sic] "security" dialog that says, "To comply with our Anti-SPAM™ regulations for a safe internet experience we are required to verify your identity" by solving a CAPTCHA. (This makes no sense.) The words in the CAPTCHA by an amazing coincidence happen to be a comment somebody might make on a hot video. Because the alleged CAPTCHA dialog is a disguised Facebook comment box. The result is that the victim posts a comment like "so awesome" to their own wall, thereby propagating the spam.

Comments (18)
  1. Adam Rosenfield says:

    It's the dancing bunnies problem (http://www.codinghorror.com/…/the-dancing-bunnies-problem.html).  People will do anything to see the dancing bunnies.

  2. David Walker says:

    I have been a computer programmer for a long time… but I never used Facebook, or MySpace.  I don't have, or want, a cell phone, Blackberry, or iPhone.  I read books on paper, not on an e-book reader.  I do, however, buy most of my books online (and some of them in a local store).

    Facebook used to look interesting, but alongside the battle between users and spammers, there's a battle between privacy advocates and Facebook itself, regarding how much of your personal information to make public, with users seemingly caught in the middle.  I avoid all of it.

  3. NB says:

    Why bother with the "1×1" pixel under mouse cursor trick? Couldn't the spam-code just directly execute the "like" action itself instead if it can do such things?

    [I don't know, but my guess is that invoking the Like action directly is blocked by anti-XSS measures. -Raymond]
  4. prunoki says:

    My old time favourite was the attachment received by email with the name yahoo.com

    I know real old timer veterans who fell for it, because they thought it was a link and not a .com file.

  5. PlexMan says:

    @David Walker

    I hear you brother.  Software developer, ahem, programmer for 30 plus years.  Could care less about social websites and computers in a phone form factor.

    Phone = device with ability to communicate whilst mobile.

    Touch Screen Tablet = finger prints on an awkard to type underpowered computer device.

    I'll keep my "regular" sized laptop for now.

  6. Daniel says:

    I know you're a Microsoft employee and all but visiting a known hostile website with IE, really? I mean really?

  7. Michael says:

    @Daniel, nowadays, I see more malware infections through Firefox than IE.

  8. JustSomeGuy says:

    I particularly liked the guy who couldn't be bothered expending the effort to find a computer-based exploit and instead just placed the following text at the bottom of the spam mail: "Please forward this email to everyone in your address book". Classic! Although, given the intelligence of some people I've met, this may well have worked :-)

  9. Cheong says:

    @NB: Image buttons click event returns coordinate if invoked by real user click. On javascript invoked click, the returned coordinate would be (-1, -1). I think the Facebook server would easily ignore that.

  10. steveg says:

    @David Walker/PlexMan: you're the next generation of dinosaur. Just like my dad swore it was better when you wrote your code on sheets and handed that to the typists ("programming isn't typing").

    Nothing wrong with being a dinosaur, admit it, embrace it, run with it.

  11. Larry Hosken says:

    This post inspired me to "Like" the Raymond Chen fan page ( http://www.facebook.com/…/197611262851 ). I can only hope I don't get thereby pwned.

  12. Worf says:

    Thank god for NoScript in firefox. Anyhow, IE on Vista/7 tends to be safer because it runs as low integrity, and drive-by downloads are harder to actuate as the downloaded file can either run as low integrity, or get passed in as a higher integrity process but out of reach of low integrity processes. So they can either run it with limited priviledges, or save it.

    The way most people do it is by violating integrity – plugins that manage to spawn higher integrity processes. E.g., bugs in a rather common PDF viewer plugin and their "98% of the web uses it" web enrichment plugin. (That a particlar fruity company refuses to allow on the mobile devices, and many mobiles running a robotic OS can, crappily).

  13. Gabe says:

    David Walker: I know somebody who's got you beat. She only reluctantly created a Facebook account when she became an employee of the company!

  14. 640k says:

    IE on windows 2008/R2 is even safer in the default crippled mode.

  15. 640k says:

    And in EU a browser isn't even distributed with the OS, that's super-safe!

  16. David Walker says:

    Well, I probably wouldn't really want to work for Facebook….  :-)  And yes, I used to walk to school, uphill both ways.  Actually, I took the school bus.

Comments are closed.