Be careful what you "Like" on Facebook - there's a new exploit someone out there has discovered, and it seems like people are falling for it in droves!
A couple hours ago, I was taking a look at my Facebook news feed, when I noticed some of the usual silliness:
[So-and-so] likes "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
Eh, seemed like it could be funny, and I was bored. So I clicked on it. This brought me to an external website, with an empty white page with black text reading "Click here to continue".
Hovering over the text didn't show any destination URL in the address bar. Naturally, I was suspicious, but since Macs are immune to most viruses, I clicked to see what would happen.
Nothing happened. Or so it seemed, until my brother informed me that I now liked this page...
At this point, I felt a little silly, but also curious as to what was going on here... how had the site made me Like something without clicking on a Facebook "Like" button? And who was running these things anyway?
Well, I did some digging...
From the HTML of the "Continue" pages, it was fairly clear how the trick was working. The words were just plain text - not even a link. However, the pages also contained an HTML "IFRAME" which was used to embed the on-Facebook page that is used to confirm a "Like". This page element was rendered invisible, and positioned underneath the page's text. Any clicks on the words would pass though them, and into the actual "yes, I want to like this" button on Facebook. Clever.
The particular bit of spam I fell for was hosted on a Blogspot blog, but there were quite a few other popular ones, such as The Prom Dress That Got This Girl Suspended From School! That one was hosted on thedatesafe.com/promdress. When I went to the top-level, I found folders for several other similarly-set-up scams... as well as a running tally page, at thedatesafe.com/stats.htm
Whoever runs this server has since locked it down, so you can't see these pages anymore. But I was sure to take screenshots...
Cute. This particular shot was taken around 11:50 pm on Sunday May 30th. The one with over 130,000 "likers" is the prom dress one. Six minutes later, the number had grown by another 6,000. Facebook admins finally got wise and started blocking the page shortly after midnight.
I found similar scams spread across a number of domains:
- Several Blogspot blogs, including girlownedbypolicelike.blogspot.com
- thedatesafe.com - probably the main site, since that's where the stats page was located. WHOIS information (a public registry of who owns what websites) was anonymized on this one.
- mprosperstats.info - this one did have valid WHOIS info, but I won't post it here, since it's unclear whether the owner of this site is involved, or just an innocent victim who had their website taken over by spammers. It would hardly be the first time.
I suppose it's possible that these are separate spammers, unrelated except in the method they use. But I think they're all connected. Facebook recently gained a feature that lets you "hover" the mouse over a link on the site to get some brief info on it - for example, if you hover over someone's name, you get their picture, and a list of some friends you have in common.
Hovering over these spam links also gives some info, including a picture... the same picture, across pretty much every one I have seen...
So uh.... anyone know this face?