NEWS FROM THE LAB - Thursday, November 25, 2010

Happy Spamgiving Day Posted by Sean @ 18:19 GMT

It's Thanksgiving Day in the United States and most folks are probably at home with their families right now.

But somebody at Facebook security is probably on the job, because we're observing various spam runs on the site. Spammers are probably timing their efforts in an attempt to take advantage of holiday surfers.

It is fairly easy to locate spam links on Facebook using the search options at http://www.facebook.com/search/ and searching "Posts by Everyone" for terms such as "http:// omg".

You'll often get results such as this:

Facebook search results

With links that open Facebook Applications such as this:

This Girl Killed Herself After Dad Posted THIS on her Wall

And this:

Facebook search results

To this:

OMG Look What this Kid did to his School after being Expelled

And this:

Facebook search results

To this:

Boyfriend dies before her eyes in a terrible car accident

And this:

Facebook search results

To this:

This Girl killed Herself After her Husband Posted this on her wall

A TinEye reverse image search of the picture used by the "Girl killed Herself because of her Husband" application yielded three results which link to blogs about a high school senior that killed herself after her boyfriend shared sexting photos.


The application's author "Trica" targeted a particular demographic, as you can see here:

Trica's activity

And what happens if you click on any of the applications?

A "Request for Permission" is prompted:

Request for Permission

Permissions include basic information and e-mail. Perfect details to commoditize and sell off to e-mail spammers.

Name, age, gender plus e-mail equals targeted spam.

Facebook App Spam

The applications also want permission to "Manage my pages".

Facebook App Spam

That's a problem because if the spammer gains access to your Page, it can be used to spread even more spam, and to collect your Page's insight data.

This seems like something that Facebook really should change… we're generally comfortable with the application controls that are in place. To develop an application, you need to validate your account with either a phone number or a credit card. And each user must approve the request for permissions.

But really, how many applications need to manage your pages?!?

There really should be an extra account validation in place to develop that particular feature.

Several of the applications shown above are now offline, but we're seeing new applications spawning to take their place. Facebook's antispam team has a busy day ahead.

You can assist them by reporting any spam applications you find:

Report application

Happy Thanksgiving!

Enjoy your turkey, and we hope it doesn't come with a slice of spam.