NEWS FROM THE LAB - Thursday, June 30, 2011

Tricky New Facebook Spam Technique Posted by Sean @ 20:53 GMT

We've (re)discovered an interesting new run of Facebook CPA survey spam.

It uses this subject line: This girl killed herself after her dad posted a secret of her on her fb wall.

The spammer used this template two weeks ago and it then linked to a webpage hosted at thedominio.info.


Today, the spam links to apps.facebook.com. Directly to a Facebook app, very interesting…

It's been quite some time since we've seen a direct link to an app. In their constant cat and mouse battle with Facebook, spammers have long been forced to use short URL services and other redirection tricks.

Let's see what's new.


The spam uses the same image, subject and description, but links to an app. This benefits the spammer in two ways. First, it reduces his overhead because he needs to maintain fewer external resources. Secondly, reputation services such as Web of Trust rate apps.facebook.com as safe, so there are likely to be fewer warnings about the link.

We've detected three applications so far.

  •  girl1 — http://apps.facebook.com/storynumb/
  •  girl2 — http://apps.facebook.com/girlstoryyl/
  •  girl3 — http://apps.facebook.com/seeingstoey/

But there's not much to see from those apps. If the Facebook user clicks on the link, the application will immediately redirect them to url-linkay.tk where this "video player" is displayed (thedominio.info now redirects to url-linkay.tk.).

If nothing appear just click many times on the play button , it will redirect you to story page.

This part is a typical clickjacking using a transparent frame to hide the Facebook like plugin button.

Clicking on the play button "likes" the page and spreads it to your Facebook News Feed.

Firefox users with NoScript installed will get this ClearClick Warning dialog which shows the contents of the transparent frame.

NoScript � ClearClick Warning

Users without some sort of clickjacking protection will be redirected back to Facebook, to another app page.

  •  all the story — http://apps.facebook.com/allthestorylive/

This app hosts the CPA survey that the spammer profits from.

This particular spam template pulls its content from www.promotiontrack.mobi.

Please verify your identity

Attempting to close the tab/page generates the follow dialog:

Leave this Page

"Help keep this content free." WTH? Please… what "content"?

Somehow the app works without actually adding itself to the user's Facebook profile.

While it doesn't appear to spread as quickly as some other spam templates, based on the number of active users, the spammer may still have earned himself a couple of thousand of dollars.

all the story

We'll be sending additional details to Facebook's security team so they can fix the "feature" that allows for this technique.

Updated to add on July 1st: The spam template is now pulling its content from www.impressionvalue.mobi.