Facebook 'Girls Must Be Watch Out Of Her mind' photo-tagging scam - the lessons to learn

Filed Under: Data loss, Facebook, Privacy, Social networks

Naked Security readers have asked us once again to warn of a rapidly-spreading photo-tagging scam on Facebook, this time with the grammatically curious title This Girls Must Be Watch Out Of Her mind After Making This Video.

Here's one wise Facebook user's advice:

We first wrote about this sort of scam back in April. Just look at the Request for Permission dialog from a typical rogue application:

Let's look at those permissions:

* Access my basic information. That seems OK, since you're agreeing to share information which you've shared already.

* Post to my Wall. This lets an application act as if it were you. Think about this: it can post anything, about anyone, linking to anywhere, in your name. You are giving the application the right to offer statements and opinions on your behalf, without asking you. That's an awful lot of power.

* Access my data any time. Combined with the previous permission - to speak on your behalf - this is very close to giving the application a power of attorney over your Facebook account. Do you ever really want to do that?

* Access my photos and videos. This effectively removes any privacy controls you enjoy over images of your personal life.

Now that Facebook has universally enabled its facial recognition service, whereby your friends can tag you in photos in which Facebook suggests you appear, photo-tagging has really taken off.

And a new way of abusing the abovementioned power of attorney is open to rogue Facebook applications: deliberately tagging you in images in which you don't appear.

In this latest scam, which borrows a long-running prurient Facebook meme about "Girl must be out of her mind," you appear to be tagged in a pornographic, or at least semi-pornographic, movie, which is then recommended to your friends.

Of course, this raises two questions about Facebook's facial recognition. Firstly, now it's universally enabled, why does it allow you to be tagged in photos in which you obviously don't appear? (The April scam I linked to above tagged you in photos of food which contained nothing even vaguely resembling a human face.)

Secondly, is it really acceptable to allow tagging without the permission of the taggee? Back in March, we wrote about a judgment in the Kentucky courts which decided that the law does not require the taggee to be asked. But is that a good enough standard for Facebook to follow?

Facebook will notify you when a friend tags you, but I'd love to see that changed to a stricter default. You should be notified and be asked to approve the tag before it is accepted by the system.

Lastly - and this shouldn't really need saying, but I shall say it anyway- DON'T APPROVE FACEBOOK APPS, TAKE SURVEYS, OR PROACTIVELY LIKE ANYTHING in return for access to a video.

If you really must see for yourself whether This Girls Must Be Watch Out Of Her mind After Making This Video, why don't you just search for it on YouTube, thus sidestepping the Facebook scammers entirely?

Or learn a touch of restraint, because it goes a long way towards improving your security online. In short, THINK BEFORE YOU CLICK.

Keep abreast of the latest Facebook security threats by joining the 100,000 strong community up on the Sophos Facebook page.

PS. My apologies for SHOUTING above. But we ought to know better by now!

, , , ,

You might like

8 Responses to Facebook 'Girls Must Be Watch Out Of Her mind' photo-tagging scam - the lessons to learn

  1. Adrienne · 1526 days ago

    personally facebook shouldnt allow tagging of photos if you are not the one who put them up to begin with, its a pet peeve of mine that ppl can tag your photos it really needs to be a security issue. same with being able to right click and save that shouldnt be allowed either.

  2. John Culp · 1526 days ago

    It's being widely used for Facebook spam, with ads mainly for shoes spreading as tagged pictures.

  3. Totally agree with the article. Facebook gives away too much information to outsiders. They said they respect your privacy... It's actually a nightmare.

  4. Livaco · 1526 days ago

    I agree that people should be able to approve tags before they are applied to photos. However I have an issue with the idea that fb should use the face recognition technology to not allow a tag on a picture that "in which you obviously don't appear?". Do you really want fb to determine if a picture really looks like you? What if it's a baby picture, or you in a Halloween costume? Or you just don't look enough like yourself??

    Before I turned off the ability to do so, fb tagged me in pictures of a fb friend's ten year old niece. (I'm 47). We have similar glasses & facial structure, but still....

    • Paul Ducklin · 1525 days ago

      You ask, "Do you really want fb to determine if a picture really looks like you?"

      That is exactly what Facebook's facial recognition _is_ doing.

      If it looks like you, your friends get invited to tag it as you - a sort of "reverse CAPTCHA", where Facebook's guesses are confirmed or denied by the subsequent response.

      If Facebook has technology to detect that a picture is highly likely to be you, why not it the other way around, and say it's probably _not_ you, and thus help to inhibit completely bogus tagging?

  5. Paul Moody · 1526 days ago

    This is the reason why I'm closing my Facebook account and moving to Google+...

  6. Paul Kay · 1525 days ago

    "If you really must see for yourself whether This Girls Must Be Watch Out Of Her mind After Making This Video, why don't you just search for it on YouTube, thus sidestepping the Facebook scammers entirely?"

    Can one be sure that clicking on a video in You Tube will never take you to a scam site? Can and does You Tube control that all the links that appear on it are honest?
    IOW is Google much more secure in general than Facebook? (This post isn't intended as some kind of irony; I'm genuinely ignorant and curious.)

    • Paul Ducklin · 1525 days ago

      In my experience, clicking on a link which looks like this: http://www.youtube.com/watch?v=ColiD7puWDA

      ...has only ever taken me to a YouTube-hosted video. (Whether the video contains content you are happy to watch is a separate issue.)

      My point was not so much to suggest that YouTube is X times more secure than Facebook, but simply to remind people that the videos referenced in Facebook scams _are almost always already available openly on YouTube_.

      In other words, the entire mechanism of the scam - getting you to install an app, requiring you to take a survey, forcing you to like something before you've seen it - is almost always redundant anyway.

      If the scam actually does bother to show you the suggested video (many don't even bother to do that!), it almost always takes you to a YouTube URL. This just highlights how scammy the entire process is - it's a bit like getting suckered into paying a third party $35 to provide you with a passport application form when you can simply download it for free directly from the Passport Office's website.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog