Social Networks

Anatomy of a Facebook Spam: See Who’s Stalking You

It wasn’t how I planned to spend a Sunday afternoon.

I saw a “see who’s stalking you” genre post on a friend’s page and thought, “hmmm, is this still around?” A quick Google search revealed SEO-focused stories at Gawker (and other sites) … where the author shows you ways to legitimately see who has most recently viewed (“stalked”) your profile.

But I did not see any new (that is, within the past few days) posts, so I thought I would check it out. Carefully, of course! Curiosity, in this case, bit into my Sunday afternoon. But I’m sharing my experience (and lessons learned) so that you can safely exercise your curiosity!

See Who’s Stalking You

First step: I saw this message (names have been redacted to protect the innocent!)

Facebook - Who's Stalking You : Click 2 See Your Stalkers
Facebook: Click 2 See Your Stalkers

I know that this isn’t possible.

You know it’s not possible.

But I thought (naively, as it turns out) that I would actually have to authorize something before anything “bad” could happen. So I clicked the link because it went to a Facebook page (which has subsequently been deleted, once assumes by Facebook):

This single act legitimizes this operation:

Facebook spam - your hotest checkers
Facebook Spam : Your Hotest Checkers

The content made me go “huh?” (while I laughed at the spelling – “hotest”). “But, it’s a legitimate app,” I thought. “So let’s keep exploring.”

OK, there’s a bunch of javascript. Where does it go? I pulled the URL out of the code block and tested it — it went to a page that had a link to the js file (be careful – that page still exists). Here’s an example:


So I thought, OK, I’ll take the next step, and paste the javascript into Chrome. That act yielded this page:

Facebook Profile Viewer
Facebook Profile Viewer

I went no further. To recap:

  • I did not “like” the Facebook page that contained the spam
  • I did not click anything in the “Facebook Profile Viewer”

Despite my lack of overt authorization, I unwittingly gave this application “permission” to spam my friends.

Facebook Kathy Gill
Facebook Kathy Gill

The spamming came from javascript that looked something like this (txt file).

Recovering From A Mistake

The first thing I did was head over to applications to de-authorize this one (account -> privacy -> applications is at the bottom left corner). That’s when I learned that it wasn’t a real application — because it wasn’t on the app list.

Now comes the hard part: reparations.

I went to my “recently interacted” friends list (the default view when you click “edit friends” — if there is any other way to see your entire friends list, please tell me).

One-at-a-time, open friend in a new window and delete my post, if it exists.

After going through this group, I began working my way through my entire friends list … all the while, answering Tweets and FB posts advising me that I’d been hacked. Which was kinda-sorta true.

My post did not exist on every friend’s wall; it wasn’t even on every “recently interacted” friends list wall. I stopped counting at 15, but my guess is that fewer than 50 (probably a lot fewer than 50) friends were hit with the spam. One of them was, unfortunately, my sister, who also clicked. :-/

But along the way, I discovered that this thing — virus or what-have-you — is both widespread and is taking more than one form:

Facebook : Lots of Spam
Facebook: one friend had LOTS of folks post the spam.
Facebook : Alternative Stalker
Facebook : Alternative Stalker Applicaition

One of them used tiny.url in the spam; that link was terminated:

Tiny URL
TinyURL Axes Facebook Spam

Notes To Facebook

Given how many of these apps there are, and how easy it was to hijack my account, Facebook security must have a hole in it large enough to drive an 18-wheeler through. Plus, how in the world is someone able to paste javascript into a form text box an iframe on a Facebook page?? And if those aren’t legitimate Facebook pages, how do they have Facebook URLS?

Here’s another example of a Facebook page with the javascript spam code in-page:

Facebook Profile Peekers
Facebook Profile Peekers : Another Spam Page

Dear Facebook, there’s a reason that doesn’t allow javascript on the site. You should take a page from their book … but not only should it not be possible to embed javascript in a Facebook page … Facebook should not be responding to commands that are executed via external javascript!

Moreover, I found it fascinating that when I was not logged into Facebook, Facebook warned me about every one of the spam links, even the one (above) that goes to a Facebook page. But when I was logged in, Facebook gave me no warning about the “Hotest” page.

Yes, I know the dangers of javascript … and because I know the dangers, and was still lulled into believing I could manage the risk, I feel a lot more charitable towards anyone who falls for the scam.

What I don’t “get” is what the spammers get out of this …. there must be something in the “surveys” that leads to a pot of gold.

By Kathy E. Gill

Digital evangelist, speaker, writer, educator. Transplanted Southerner; teach newbies to ride motorcycles! @kegill

12 replies on “Anatomy of a Facebook Spam: See Who’s Stalking You”

Hello there,
I am an American. I want to Put in place an Animation Studio in India. At present i’m searching for animators. I preferred India because it is more inexpensive as compared to U.S. I really want to learn the measures for starting off a organization in India, particularly an animation studio.

Can you fellas please help me out?

Kevin, Just had the same day you had here. Ack* And I was being so careful. Thanks for reviewing just how easy I was hoodwinked. I feel a little better now.

I thought it was odd you had posted on my FB wall. Luckily, I’m slow to respond and didn’t try to see it until today when it said “application error – this content is not available,” thankfully!

I got your little message on my wall, but I just marked it as spam, knowing you’d be soon well aware of it.

Hope that creepy EX leaves you alone, Kathy!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.