Link sharing spam on Facebook

I just saw a link on Facebook, that I somehow had to interact with – it featured a not-that-dressed girl and said “Wanna C Something Hot?”/”Want 2 C Something Hot?” or variations of this. Well, clicking the link sent to me to an external site featuring a single button and the same image urging me to click it. When clicked, I came to some porn site. But why would several of my friends post links to this site, which incidentally sent me to a porn site? Well, as I soon after saw on Facebook, I had just posted the same link on my wall for all my friends to see. How?

It is a “simple” case of “click-jacking” and the site tricks you to click a Facebook share button, but disguises this as some other button. Please read on for full description.

UPDATE 2009-12-2: “Press the button or dog dies”/”Push the button or this dog dies” (located at pressthebuttonordogdies.com, but don’t go there) is a new such site. The target website is “thisblogrules.com” and the measures used are a little different but all in all the same anyway.

Furthermore, I have used bit.ly for tracking how much these links have been used so far on Facebook – it is pretty inflicting: The “hot” girl has been shared almost 59,000 times and the poor dog has been shared 5,309 times as of this writing. You can see the direct stats from the Facebook link.getStats API here: Somthing Hot and Or Dog Dies

The original post looked like this (taken from my own feed):

Don't go to this page if you see this post

Don't go to this page if you see this post

The page it linked to was http://3dvv.com/somethinghot/ (don’t go there, nothing to see) and looks like:

The page tricking you to share the link

The page tricking you to share the link

When you press the “button” you actually press this (opacity on iframe set to 1 instead of 0):

The real button that you actually press kind of looks like a Facebook button, right?

The real button that you actually press kind of looks like a Facebook button, right?

The trick here is, that they have used the layout of this page about sharing the link (safe to go to, just don’t actually press the share button): http://www.facebook.com/share.php?u=http://3dvv.com/somethinghot/. Then, they included this page inside an iframe that was offset the right amount negatively to the left and to the top, to leave just the share button visible in the corner here (no need to visit): http://3dvv.com/somethinghot/ngr.php, which looks simply like:

How to only show the share button by iframing the share.php page

How to only show the share button by iframing the share.php page

If we on this page remove the constraints, we can see the whole bottom corner of the page like this:

The rest of the share cutout with the button in the corner

The rest of the share cutout with the button in the corner

Well, this is not all. In order not to have the page simply redirect to what facebook normally would after having shared a link, this page with only the share button visible is wrapped in another iframe, that steals the redirect Facebook creates and make their own redirect to the actual target (porn) site.

All in all, it is a very clever albeit strictly illegal way of using the Facebook sharing functionality for viral spamming purposes.

What can Facebook do about it? One thing would be to not allow share.php to be embedded in iframes via a simple javascript, but that might break desired functionality in other places. Otherwise, they could shift the placement of the sharebutton slightly of different page loads, but that could probably be circumvented by detecting the position of the button via script and isn’t a viable solution. Or they could require that the user had to type some captcha before being able to post links to new sites not posted before, but that creates a lot of other problems (and a good scammer could simply require the user to answer the captcha as well as click the button – users would do that). I’m sure Facebook can think of something, though.

What can you as a user do about it? Nothing really. Only click on “links” on foreign pages that you know for sure are legitimate and that you trust that your friends really did post on their own. But it is pretty hard to protect against. It really is Facebook’s job to make sure this doesn’t happen.

Please share this with everyone!

Update 2009-11-24: Several sites report this as an example of CSRF/XSRF (Cross-Site Request Forgery) and most use this AVG blog post as source. Not that it really matters, but it is not XSRF – it is clickjacking. There is a slight difference, the main difference being, that the countermeasures are very different.

No related posts.

Category: General, HTML, Security, Trends Comment »


Leave a Reply



Back to top

     

Get Adobe Flash playerPlugin by wpburn.com wordpress themes