Monday, May 31, 2010

Inside Facebook "Like" Spam

Update 6-1-10:  Looks like Download Squad caught the story now too.  They're calling it "likejacking." Cute. According to them, security experts have confirmed that this is simply an annoyance, and there appears to be no real security threat at this time.
----------

Be careful what you "Like" on Facebook - there's a new exploit someone out there has discovered, and it seems like people are falling for it in droves!

A couple hours ago, I was taking a look at my Facebook news feed, when I noticed some of the usual silliness:

[So-and-so] likes "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."

Eh, seemed like it could be funny, and I was bored.  So I clicked on it.  This brought me to an external website, with an empty white page with black text reading "Click here to continue".


Hovering over the text didn't show any destination URL in the address bar.  Naturally, I was suspicious, but since Macs are immune to most viruses, I clicked to see what would happen.

Nothing happened.  Or so it seemed, until my brother informed me that I now liked this page...

At this point, I felt a little silly, but also curious as to what was going on here...  how had the site made me Like something without clicking on a Facebook "Like" button?  And who was running these things anyway?

Well, I did some digging...

From the HTML of the "Continue" pages, it was fairly clear how the trick was working.  The words were just plain text - not even a link.  However, the pages also contained an HTML "IFRAME" which was used to embed the on-Facebook page that is used to confirm a "Like".  This page element was rendered invisible, and positioned underneath the page's text.  Any clicks on the words would pass though them, and into the actual "yes, I want to like this" button on Facebook.  Clever.

The particular bit of spam I fell for was hosted on a Blogspot blog, but there were quite a few other popular ones, such as The Prom Dress That Got This Girl Suspended From School!  That one was hosted on thedatesafe.com/promdress.  When I went to the top-level, I found folders for several other similarly-set-up scams...  as well as a running tally page, at thedatesafe.com/stats.htm

Whoever runs this server has since locked it down, so you can't see these pages anymore.  But I was sure to take screenshots...


Cute.  This particular shot was taken around 11:50 pm on Sunday May 30th.  The one with over 130,000 "likers" is the prom dress one.  Six minutes later, the number had grown by another 6,000.  Facebook admins finally got wise and started blocking the page shortly after midnight.

I found similar scams spread across a number of domains:
  • Several Blogspot blogs, including girlownedbypolicelike.blogspot.com
  • thedatesafe.com - probably the main site, since that's where the stats page was located.  WHOIS information (a public registry of who owns what websites) was anonymized on this one.
  • mprosperstats.info - this one did have valid WHOIS info, but I won't post it here, since it's unclear whether the owner of this site is involved, or just an innocent victim who had their website taken over by spammers.  It would hardly be the first time.

I suppose it's possible that these are separate spammers, unrelated except in the method they use.  But I think they're all connected.  Facebook recently gained a feature that lets you "hover" the mouse over a link on the site to get some brief info on it - for example, if you hover over someone's name, you get their picture, and a list of some friends you have in common.

Hovering over these spam links also gives some info, including a picture... the same picture, across pretty much every one I have seen...


So uh.... anyone know this face?

6 comments:

Caitlin T. said...

Thanks for posting this. It's been all over my FB feed and I "liked" it without my consent too. Real classy. Even if FB has blocked it already, it's still visible everywhere.

Anonymous said...

This is why noscript is fantastic it has clear jacking detection.

MrPicco said...

Thanks for this post. I couldn't find an explanation anywhere else, and the research behind this post is more complete than most tech news stories.

Anonymous said...

So how do I delete these off my like list!??

The 2 I have on my like list are:

OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)!
Page

This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)!
Page

Nicole said...

@Anonymous:

Go to the page of the person/thing spamming you, and click "unlike" at the bottom of the left sidebar. I've also been reporting the pages as spam.

You may also want to go to the info page of your profile, and make sure that everything in the "like" section is something you actually clicked.

Unknown said...
This comment has been removed by a blog administrator.