Facebook scam with a difference - Social Tagging Worldwide avoids rogue apps

Filed Under: Facebook, Privacy, Social networks, Spam

Vigilant Naked Security reader Mike Greer, of Cedar Park, Texas, has brought the latest Facebook "profile viewer" scam to our attention.

We write regularly about this sort of scam, which is common on Facebook, on Twitter, and even on both at the same time.

One of the reasons people fall for these scams is that they promise to provide what sounds like useful data - a list of the people who are most interested in your activities. In particular, most of the scams imply that anyone who is stalking you is likely to end up at the top of the list of people who check your profile.

(Of course, the people at the top of the list might equally well be your closest and most trusted friends. But profile view scams sell better on fear than on comfort.)

Most scams of this sort persuade you to install a rogue Facebook application and give it permission to access your account. But this latest scam, centred around a Facebook community called Social Tagging Worldwide, takes a different approach.

The Social Tagging Worldwide page is much more direct. It tries to trick you into pasting JavaScript directly in your browser and running it. Naturally, this bypasses any checks which Facebook might apply to the script if it were served up from, or wrapped inside, a web page sourced from Facebook itself.

Claiming to be "The Official Profile Viewer Application", the page offers you a link which brings up a Facebook dialog asking you to "complete a 5 second security check to confirm you're a Facebook user":

The instructions sounds pretty simple, and - unlike many other Facebook scams - don't involve asking you to take a survey as proof that you aren't a computer. The instructions may vary depending on your browser, but will look something like this:

The trick is that you aren't cutting-and-pasting any sort of unique ID into your browser's address bar. You're actually pasting a piece of Javascript and asking your browser to run it for you:

This script fetches another script - one intended to run inside pages presented by Facebook. Indeed, if you paste the offending "unique ID script" into your browser's address bar whilst you're on a site other than Facebook - e.g. Naked Security - you'll see a warning that the script needs to come from Facebook itself:

But if your browser is on the original Social Tagging Worldwide community page - which is hosted by Facebook.com - and you are logged into Facebook, the pasted script runs as if it were hosted on facebook.com. Your browser thinks - indeed, effectively knows - that you're on Facebook, because that's the domain of the URL you are currently visiting.

The offending script in this case is designed to invite all your friends to join a specific Facebook group. No need for a rogue application.

The moral of this story is simple: BE CAREFUL WHAT YOU PASTE INTO YOUR ADDRESS BAR.

When you explicitly enter a piece of JavaScript, you're effectively authorising your browser to run that script in the context of the site you've just visited. You are effectively bypassing any sort of cross-site scripting protection which either the remote site - in this case, Facebook - or your browser might have in place.

Cross-site scripting is where you trick your browser into running a script from site Y as if it were officially from site X. Pasting a script into the browser side-steps any cross-site scripting protection because there isn't really any "cross-site" behaviour - you're manually injecting a script into site X and thus authorising it to run yourself.

Incidentally, if you do go through with the instructions in this scam, things proceed rather predictably.

You're asked to perform another "proof that you are human" test, and this time - I'm sure you've guessed already - you need to take a survey. The survey offers a prize - I'm sure you've guessed already - of an iPad or an iPhone:

And to win the prize - I'm sure you've guessed already - there's a cost. The advance fee you'll pay to enter the "competition" depends on your location.

I'm in Singapore right now, where I was expected to send a pricy SMS and agree to accept SMS marketing:

By the way, there's a simple, non-technical, rule which will protect you from almost all scams of this sort:

IF IT SOUNDS TOO GOOD TO BE TRUE, IT IS TOO GOOD TO BE TRUE!

Make sure that you stay informed about the latest online scams. Join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

While you're about it, why not check out our Facebook security best practice guide? Learn how to protect your privacy and identity on Facebook.

, , , , , , , ,

You might like

9 Responses to Facebook scam with a difference - Social Tagging Worldwide avoids rogue apps

  1. PinoyTechHub · 1199 days ago

    Thanks for the information, I almost became one of the victims of this malicious code.

  2. Randy Carpadus · 1199 days ago

    I had this one show up but knew when I hit a redirect and that off FB page that it was fake. Does someone who has followed instructions need to "fix" anything once they've run the script?

  3. Jo Sirius · 1199 days ago

    my friends and i still keep getting notifications/invite to this thing :( is there a way to stop it or remove it?

  4. Matt · 1199 days ago

    CPALead, again.

  5. 1381 · 1196 days ago

    Yes i was infected with this... Does this do any harm on computer itself? Like deleting files or extraction?

  6. Jacob · 1195 days ago

    There is a new exploit: tagging in status updates. It's already growing exponentially... I can barely stop it :/

  7. Paul · 1191 days ago

    If you have been hit by this check you settings for "what I share with apps" settings as it resets them to default settings even if you did not use it.

  8. Bruce Fontaine · 1187 days ago

    does it cause Internet Explorer Scxript Error popups with questionable URL links?

  9. Ron · 1185 days ago

    Text scams may be stopped just like other unwanted text messages from companies & such by texting & sending off the word STOP.Not sure what else to say but this seems to be the universal solution.Facebook is popular so scammers see this as a huge opportunity to take advantage.Good luck & be vigilant.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog