Anatomy of a Facebook Spam: See Who’s Stalking You
It wasn’t how I planned to spend a Sunday afternoon.
I saw a “see who’s stalking you” genre post on a friend’s page and thought, “hmmm, is this still around?” A quick Google search revealed SEO-focused stories at Gawker (and other sites) … where the author shows you ways to legitimately see who has most recently viewed (“stalked”) your profile.
But I did not see any new (that is, within the past few days) posts, so I thought I would check it out. Carefully, of course! Curiosity, in this case, bit into my Sunday afternoon. But I’m sharing my experience (and lessons learned) so that you can safely exercise your curiosity!
See Who’s Stalking You
First step: I saw this message (names have been redacted to protect the innocent!)
I know that this isn’t possible.
You know it’s not possible.
But I thought (naively, as it turns out) that I would actually have to authorize something before anything “bad” could happen. So I clicked the link because it went to a Facebook page (which has subsequently been deleted, once assumes by Facebook):
This single act legitimizes this operation:
The content made me go “huh?” (while I laughed at the spelling – “hotest”). “But, it’s a legitimate app,” I thought. “So let’s keep exploring.”
I went no further. To recap:
- I did not “like” the Facebook page that contained the spam
- I did not click anything in the “Facebook Profile Viewer”
Despite my lack of overt authorization, I unwittingly gave this application “permission” to spam my friends.
Recovering From A Mistake
The first thing I did was head over to applications to de-authorize this one (account -> privacy -> applications is at the bottom left corner). That’s when I learned that it wasn’t a real application — because it wasn’t on the app list.
Now comes the hard part: reparations.
I went to my “recently interacted” friends list (the default view when you click “edit friends” — if there is any other way to see your entire friends list, please tell me).
One-at-a-time, open friend in a new window and delete my post, if it exists.
After going through this group, I began working my way through my entire friends list … all the while, answering Tweets and FB posts advising me that I’d been hacked. Which was kinda-sorta true.
My post did not exist on every friend’s wall; it wasn’t even on every “recently interacted” friends list wall. I stopped counting at 15, but my guess is that fewer than 50 (probably a lot fewer than 50) friends were hit with the spam. One of them was, unfortunately, my sister, who also clicked. :-/
But along the way, I discovered that this thing — virus or what-have-you — is both widespread and is taking more than one form:
One of them used tiny.url in the spam; that link was terminated:
Notes To Facebook
an iframe on a Facebook page?? And if those aren’t legitimate Facebook pages, how do they have Facebook URLS?
Moreover, I found it fascinating that when I was not logged into Facebook, Facebook warned me about every one of the spam links, even the one (above) that goes to a Facebook page. But when I was logged in, Facebook gave me no warning about the “Hotest” page.
What I don’t “get” is what the spammers get out of this …. there must be something in the “surveys” that leads to a pot of gold.