We blogged recently about Facebook malware that spreads by promising to tell you who has viewed your profile. It seems that this one of the most successful ways to interest users and get them to follow otherwise suspicious instructions. As with most Facebook attacks, messages are spread from friends, with the result that recipients completely trust the message or wall post. This time, the wall post looks like this:
- AMAZING! My FB wall has been visited 2022 times
- Boy views: 425.
- Girl views: 1597.
- Check yours @: http://apps.facebook.com/—-
Splitting the views into “girl views” and “boy views” is a new touch. The link points to a promising Facebook application page. Since it’s an application, it will first ask users if they’ll allow it to access basic information. The application name now changes to “Flash Mail”.
Of course users want to know how many boys and girls viewed their Facebook wall. So, yes! Of course, they will allow it. The “top stalkers” application then appears to load but is blocked seconds later by a “security check” screen:
So the “Flash Mail” app has been allowed to access basic information and to post stuff on a the users wall – but now there’s a 30-second test to “prove you are human”. At this point there are many nagging doubts about this process but it’s only “a 30-second test” so many users will proceed with the “love thermometer test” (since they really want to know how many people have viewed their wall…)
The page that loads next doesn’t look anything like a “security test”:
At this point the real destination of this process becomes clear – someone wants your mobile phone number. Note the fine print at the bottom. “you will be subscribed…”.
To summarize the fairly elaborate process:
- How many boys and girls have been looking at your profile
- Authorize the app “flash mail”
- Start viewing “top stalkers” but then..
- … Complete a “love-thermometer/security test”
- Download an IQ test
- … by providing your mobile number
- (and sign up for some service you didn’t want)
Meanwhile back on the original Facebook app page – the user is still expected to complete the survey and it seems like the app is stuck forever.
At this point it’s clear that users won’t know who’s been viewing their profile – but that’s not what their friends will think. The following post now appears on the user’s wall courtesy of the “flash mail” application:
Note the subtle changes in the text when compared with the example above – designed to outwit Facebook’s spam filters:
- Text: SHOCKING! My Facebook wall has been visited 2022 times
- Boy views: 815.
- Girl views: 722.
- Check yours @: http://apps.facebook.com/—-
Since the user has allowed the application to post messages on their wall, other friends will now see this link and the process that leads to the mobile phone commissions can start again.
This is a typical example of successful social engineering. Facebook users should be aware (and spread the word): There is no such thing as a profile view application for Facebook.