I’m a Spammer. All I want you to do is click something. Load a page, at worst fill out some details and sign up to something. Ultimately I want your contact details. I want them in order to bait you into action – whether you realise it or not.
There is nowhere on the net, not even the walled garden of Facebook where nefarious spam do’ers cannot create a dastardly unsolicited deed. While Facebook has stellar spam detection and requires a concerted effort to achieve success with spam, it is still the most spammed social network.
Here are a few of the tactics I’ve used, and some scams and ruses also circulating in Facebook.
Junk memes and page trading
Virality Mills are to Facebook what content farms have been to Google.
The problem is so great that Facebook is considering demoting certain types of content deemed low quality or junk via the recently deployed anti-meme news feed algorithm.
It’s possible to buy, sell and rent Facebook pages. A 1.5m liked page is going for $30000.00 or at the cheaper end of the scale is a 520 like page for $10. For page buyers the risks are obvious: you do not own the page. Facebook does. The content is also licenced in perpetuity to them. As soon as an item is shared FB claims full rights. If nothing is shared, you can download your content and everyone go separate ways. But that is not how it works in the FB-World.
Pages are traded, and then used to seed other more legitimate brand pages, or direct traffic outside Facebook to websites. Such is the demand to make money on Facebook using its easily gamed referral traffic that there is no shortage of people looking to buy pages.
Until now, the more likes and shares, the more valuable Facebook consider the content. The content is pushed higher up people’s newsfeed, in turn meaning more people click links and visit sites hosting the content (and adverts). Newsworthy content is then left to lag behind ephemeral sites like Gawker, Buzzfeed and Upworthy (a whopping 43K average likes per post). But these sites are under threat from an algorithm update. When Google deployed the so called “Panda” algorithm update, Demand Media’s traffic from Search was obliterated. The same fate may be imminent for sites in the sharenomics spectrum.
Until the news feed algorithm update happens promoted and sponsored stories remain the only sure short way to be surfaced in the news feed and Facebook knows it.
Whaling
One of the earliest tactics for spamming Facebook was to build massive accounts with up to 5000 friend limit – interestingly, unlike MySpace, Facebook curtailed the number of connections permitted. A whale account meant it was possible to spam the contacts via message, event invites. The most prolific method of making money was to download your Facebook connections user email addresses then go after them offsite.
In the early days of Facebook I could also upload a spreadsheet of 5000 email addresses and invite those who had not made the leap from Myspace to come and join me over at the new kid on the block. And because Facebook users were still in a Myspace mode, they would accept such a random invitation from a stranger. We were in a pre “friendscaping” world. And today, Facebook still promotes “invite your friends from Hotmail/Yahoo” etc.
However, since the introduction of Facebook Pages the notion of whaling has become less prevalent with basic accounts, and shifted wholly to Pages where brands are whaling fans in return for competition prizes and giveaways in return for a like or customer data.
Email spam
Although email addresses are slightly obfuscated, it is possible to export users’ personal email addresses from Facebook. Conversely there is a new method used to spam directly in to Facebook without ever actually friending anyone.
Using the spam-to-email method is fairly straightforward. There is an established way to export account data to Microsoft Excel or directly into an email account, from where your old pals would be ready to target.
My favoured method is to export a whaled account’s contact list to Yahoo and then use Yahoo to send unsolicited email.
Facebook now allows users to receive messages from outside the walled garden via incoming email. This opened up a new method for spamming. Consequently when I want to spam-to-Facebook message centre I merely add the username to @facebook.com and hit “Send”! www.facebook.com/yourname for instance, becomes yourname@facebook.com
Name hijacking
Sign up to Facebook using someone else’s email as the primary mail address. Set up an account but never verify the account. It was a loop-hole, with few limits for not verifying the account.
For instance, then TechCrunch Editor Michael Arrington famously “was” Google CEO Eric Schmidt on Facebook, with all the friend hype that goes with being the a top CEO. http://techcrunch.com/2010/10/10/being-eric-schmidt-on-facebook/
The same system still exists in Twitter. You can not only be who you want on the internet, you can also use their email without authorisation.
By using someone else’s email to register the contacts associated by Facebook (or Twitter) with that email become linked to your account.
We might call this Address Book Jacking. Long before you actually arrive on Facebook they know who you are; by virtue of the fact that your contacts uploaded their address book. In that sense, Facebook knows who to alert when you register with the name jacked email address.
Email and name blocking is more an annoyance for the holder of those credentials, but the possibilities are available to do serious reputational damage to that person, or their friends via Spear Phishing.
In June 2012, the opportunity to squat went with the introduction of phone number verification.
Likejacking
One of the more insidious and wildfire types of spam within Facebook is Likejacking. These are the spam attacks which leave users with embarrassing updates the like of: “Dad Walks In on Girl – N4k3d”, “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE”, “[SHOCKING] At 14, she did that in the public school” or other shock, salacious, or brutality promising videos.
At one point Likejacking videos made up 15 percent of all videos on Facebook.
How they work: a site is shared within Facebook with an image that is made to look like a video. Clicking the video image takes the user to an outside website which is loaded with a hidden iframe – this is an invisible layer – on a site. Oftentimes the site will say: “Click to access”, and on clicking the user has “liked” the page. That like is then shared to the victim’s Facebook wall and the victim might see a film, or be presented with a few more hoops, loops and holes to traverse.
These spam attacks can dump hundreds cookies for affiliate schemes, ad-tracking programmes or they direct the victim to open a cyber-locker, complete a quiz, solve a CAPTCHA, or fill-out an online survey. Whatever the scam, the end game is to generate revenue for the spammer while compromising the victim’s identity – name, age email, address et al. Some Likejacking sites have been found to deploy drive-by viruses.
There is an even craftier reverse to likejacking: the likes are generated on a 50-50 share. When the victim clicks the link within Facebook, they land on the target site which 50 per cent of the time loads a like button for that page, and 50 per cent of the time for another domain. The surplus likes are then sold on “like exchange” pages or like farms.
Survey scams
A more straightforward clickjack tactic designed to get a person’s data while making money from their form filling labour are survey scams – the close cousin of US Lottery Win email spam.
The survey scams are usually attached to the promise of a free iPad, holiday or the perennial money-off UK supermarket voucher scam.
The ends are always the same: steal the victim’s details, receive payment from affiliates to reach completed survey then post to the victim’s timeline to recruit more pawns.
Spam the new certainty
Of course Facebook does not exist in an online vacuum where the old rules don’t apply, but having learnt what not to click in email it would seem the simple action of “liking” a status update has moved people to lower their guard. Does liking a status update really help cure cancer, or get a kid a new liver? With the level of gullibility comes opportunity to scam. And as the maxim states, people have two certainties in life: taxes and death. Or was it three, with spam the new definite?
