by Jason Ding – Barracuda Labs
Many Facebook users have the same burning questions – who viewed their Facebook profile? And who viewed them the most?
Facebook has officially explained on its FAQ page, that such functionality is not provided either through its own platform nor other third party applications. However, the desire to for answers to these questions has grown continuously in last few years, generating lots of “business” opportunities for scammers and phishing attackers.
The scam uses curiosity as the hook to trick Facebook users into spamming their social networks. We bring out the Facebook Profile scam under the light again to explore it’s evolution on this giant social platform.
Remember several click-jacking attacks on Facebook last year? Attackers used Facebook Open Graph API to create a big “like” button on a video screen to trick users into liking the page and then redirect them to register other affiliate paid services. Such scam techniques are old now, and it is easy for user to get rid of: simply removing the related posts.
A new trend of scam, more advanced than click-jacking, has just started to become popular on Facebook. It also uses the “profile viewer” curiosity as the hook but creates Facebook apps to gain users information and permissions to post. The whole process works as follows.
Several photo posts are initially created with many tagged users and a bit.ly shortened link in the photo description.
Following the shortened link, it redirected several times (via a AWS S3 file, zoomdamx.com, and tikoroom.com), and then landed on a Facebook application permission page.
(click for larger image)
To install this profile viewer app “My Match”, you have to give certain permissions: basic information, access to photos and post on your behalf. Once you allow these permissions two things happen: a) you will be redirected to a non-Facebook page requiring to take a survey to unlock the real app and b) a new album will be created in your pictures with the same scamming photo within which all your friends are tagged.
(click for full size image)
Now, all of your friends will see this photo and may be get tricked as well. To unlock the app, we need to fill the survey. No big surprise, lot of affiliate advertisements and paid services are required to finish.
(click for full size image)
This is the interesting part now. If you clicks the link in your new photo auto-posted by this “My Match” app, another application also called “My Match” asks your permission. It seems that this particular app is able to generate new apps of its own kind on demand. Very sophisticated.
(click for larger image)
Fortunately, it is not the case. After several permission requests, we found this scam only has limited alternative paths to lead victims to a pool of pre-created scam applications, trying to avoid the detection from Facebook and other malicious analysis services. Here are the four applications:
http://www.facebook.com/apps/application.php?id=215925598521769
http://www.facebook.com/apps/application.php?id=291003840984532
http://www.facebook.com/apps/application.php?id=163011840492520
http://www.facebook.com/apps/application.php?id=257527217679114
Whenever this app is used (even not finishing a survey), a new album tagging all of your friends will be created, along with another bit.ly URL in the description, trying to trick new victims. See the album page in the following image, captured when we tried to find all these “scam” applications. I’ll bet all of my friends are upset.
(click for larger size image)
Obviously, compared to click-jacking, this new scam is more advanced and has more impact on your network. Even more serious is the fact that the apps owners can access and control more information revealed by you. Meanwhile, these scam apps obey the ToS of Facebook: they only post given permissions.
To avoid detection or banning, the attacker used several intermediate URLs for redirection: 1) a bit.ly shortened URL, 2) a Amazon S3 URL, 3) two newly registered domains. The two transitional domains zoomdamx.com and tikoroom.com are both recently registered with an India address on April 25, 2012 and May 1, 2012, respectively.
To stop you and others being victims of this app-jacking scam, two actions need to be taken: revoke the permissions for “My Match” and remove all auto-posted albums. Go to Account Settings after logging in Facebook, click Apps on the left panel, and then click “Edit” link for every “My Match” app. Now click “Remove” link first to remove all post made by this app, and then click “Remove app” link to revoke the permission.
(click for larger image)
To summarize, click-jacking is old news now. This app-jacking might be a new trend for scammers for a while, until Facebook takes strong actions to scrutinize app creation.
Leave a reply
