Log in

No account? Create an account

Facebook worm - John C. Kirk — LiveJournal

Jun. 2nd, 2010

07:51 pm - Facebook worm

Previous Entry Share Flag Next Entry

If you see a Facebook update from one of your friends, saying that they "Like" something, be careful before you click on the link. There's a dodgy worm (virus) going around, and I've seen a couple of people get caught out by that today.

Here's an example of what you'd see on your home page:

Recent Activity

I know some people on Facebook who "Like" several pages a day, e.g. Walking away from explosions without looking at them or Lying About Your Age to Pay Less. They're harmless enough, but they also seem pretty pointless, so I just ignore them. In this case, the person in question is a lot more selective, so this was basically an endorsement: if he liked it, it's worth my time to click on the link.

When I did, I was taken to this page:

Passport letter

This looks like a standard letter, so presumably the funny bit is on the next page. It said "Click to read why the guy was rejected", so I did. However, it then asked me to fill in a survey:

Human verification system

I'm not that interested in reading the passport story, and I don't want to start giving out my details to all and sundry, so I abandoned it. However, when I tried to close the tab, this window popped up:

Are you sure?

Normally I'd say that it's best not to click any buttons in these pop-ups: use the X in the top-right instead. However, the X didn't work, and nor did Alt-F4, so the only way to get rid of it was to click "OK". (I'm using Internet Explorer 8; other browsers may handle this better.)

So, that was all a waste of time. However, the real problem is that it added itself to my profile. Any of my friends would now get a status update saying "John likes The Best Passport Application Rejection In History! LMAO." That would encourage them to click on it, and so the cycle continues. What's really sneaky is that I didn't see this update on my home page: I had to go to my profile page, and scroll down to "RECENT ACTIVITY" to find it and remove it.

There seem to be a few of these things doing the rounds, and this was actually the second one I encountered today. The first one (from a different friend) said that he liked "Paramore n-a-k-ed photo leaked!" I'd never heard of Paramore, but apparently it's a rock band. The person who "Liked" this isn't the type of person who reads lads' mags (e.g. Nuts), so I assumed that he had another reason for liking it, and I took a look. That led me to this page:

Over 18?

I'm over 18, so I clicked through the warning. I then got the same survey page that I mentioned above, so I abandoned it.

In both cases, the person who "Liked" the page wasn't aware that they'd done it until I contacted them. It can be a bit fiddly to get rid of these things afterwards, but Sophos have some tips.

As far as I can tell, simply clicking on the original link is safe. However, if you click on the following page (e.g. "Are you over 18?"), that's using a hidden Facebook widget to update your profile. If you're a techie, and you're feeling brave, you can go to these pages and look at the JavaScript for yourself:
"Paramore n-a-k-ed photo leaked!"
"The Best Passport Application Rejection In History! LMAO."
(The Register refer to this as "clickjacking".)

By the way, since I abandoned both pages at the survey stage, I don't know whether either of them actually have a real "reward" at the end. However, even if they do, it's not worth dealing with this worm to get to them.

I don't think that either of these pages are doing any real damage. However, they probably get access to your profile information while you "Like" them, which could be used for identity theft. It's also possible that future versions of this worm will be a bit more dangerous.

The key point here is to be cautious. Don't trust endorsements from your friends, including me! I (briefly) liked both of these pages, but you shouldn't click on them just because I appeared to like them. The downside to this is that legitimate pages will get tarred with the same brush. For instance, yesterday I saw an update from another friend, who liked the "BBC: Profile picture experiment". As far as I can tell, that one is completely legitimate, but I only know that because I clicked through to it.

The solution may be for people to use their own words: if I see a status update that matches someone's normal speech patterns, the chances are that they really wrote it, rather than a bot impersonating them. That's more work than clicking "Like", but if it encourages people to be selective then that's no bad thing. In other words, do you actually like this thing enough to spend 10 seconds typing a blurb for it? If not, there's no need to mention it.



[User Picture]
Date:June 2nd, 2010 07:01 pm (UTC)
If that was me (the BBC profile picture experiment), then yes, it was intentional, and it better be legit - I got to the FB page from a bbc.co.uk page (with BBC editorial authority, i.e. not user-contributed).
(Reply) (Thread)
[User Picture]
Date:June 2nd, 2010 07:11 pm (UTC)
Yup, you were the one I was thinking of, and I'm glad that you did it on purpose. However, I think I'll hold off for a while before I do the same.
(Reply) (Parent) (Thread)
[User Picture]
Date:June 2nd, 2010 11:30 pm (UTC)
The solution may be for people to use their own words: if I see a status update that matches someone's normal speech patterns, the chances are that they really wrote it, rather than a bot impersonating them.

I agree, for now this is generally the case. Within the next 5 or 10 years however, I imagine there'll be enough samples of our personal writing on the net that it'll be feasible to use markov chains to spoof us. Particularly for short simple things like link recommendations.

Enjoy the current world while it lasts - the next one is coming! ;)
(Reply) (Thread)
[User Picture]
Date:June 3rd, 2010 09:58 am (UTC)
There's also the option to google it first.
(Reply) (Thread)
[User Picture]
Date:June 3rd, 2010 10:51 am (UTC)
That's true, although there will always be a time lag before new versions of this get reported (and a further lag before Google finds/indexes them). For instance, if I search for the "naked Paramore" phrase, the first page of Google results now are all warnings. However, if I search for "The Best Passport Application Rejection In History! LMAO." then I only get 6 results, and the 2nd result is the dodgy page. Doing a more general search, e.g. "passport application rejection" (without quotes) returns loads of results: a couple of them are the same scam again, and most are completely irrelevant.

For now, I just want to make people aware that this is a problem, so that they can be wary of "X likes Y" in general.
(Reply) (Parent) (Thread)