Posted by theharmonyguy in Facebook |

Update: I strive to maintain accuracy on my blog and spend time verifying issues before posting them. However, further investigation has led me to question whether my understanding of applications automatically accessing “publicly available information” is actually correct. I plan on doing more thorough research this weekend on such access and will update this post accordingly.

Update 2: See my full correction.

Original Post

I’ll admit, I was intrigued. Facebook informed me that a good friend had become a fan of page proclaiming that “94% of the people fall asleep immediately when seeing this picture”. That would be quite a picture. Who wouldn’t want to give it a shot? Over 270,000 people must have agreed, since that many people gave into the page’s demand that you become a fan before seeing the amazing photo. In the past I’ve simply ignored such scams, but this time, I did a bit of investigation and became intrigued once more.

I’ve come across many pages and applications that promise a tempting reward if you simply complete a few steps, which usually involve authorizing the app or becoming a fan of the page (I refuse to say “fanning the page”) and then inviting all of your friends to do the same. Rewards include tracking all visitors to your profile or getting a nice gift card. I would argue that it doesn’t take much evaluation to figure out why such scams are bogus, but untold Facebook users fall prey to them daily. Next time you’re tempted by a Facebook free lunch, remember that authorizing an application grants the developer access to all of your private info. Becoming a fan isn’t quite as drastic, but as you may have discovered, that’s rarely the last step in such offers.

Let’s get back to the hypnotizing pic. When you first load the page, it opens a tab tantalizingly entitled “THE PICTURE”. Ah, but before the powerful picture loads, you have to complete “two simple steps.” First, become a fan. But you have to click the button at the top – if you click the representation of it in the instructions, a dialog pops up saying you have to use the top button “to get access to the scantron hack.” Come again? Oh and the picture in that dialog is for another fan page entitled “How to Change Your Profile Layout.”

Anyway, become a fan and you’ll see step two: “Suggest this page to your friends.” Again, clicking the instructions brings up a dialog emphasizing you must invite at least 40 friends “to bypass the human verification gateway” (sounds high-tech). The picture this time is for some fan page involving “hot” girls. If you click step 3 (see the picture!) without inviting your friends first, you instead encounter the dreaded human verification gateway.

Of course, if you did annoy 40 friends first, I’m pretty sure you’d still see the gateway, which ironically offers for you to take a survey entitled “How DUMB are YOU?” As with so many similar pages, this page is entirely fake. First clue: the page has all wall posts (Correction: wall posts are hidden by default, but not disabled), reviews, and discussions disabled, so nowhere can “fans” actually share whether the trick worked or not.

Oh wait, “THE PICTURE” tab does include a comment box with testimonials from a few fans. However, if you actually click some of the profile links, you’ll find that the names don’t always match up. If you try adding your own comment, I can assure you from scanning network traffic that your feedback is not recorded. The comment box is simply a bit of static code made to look legitimate.

In fact, I assumed “THE PICTURE” tab was using the Static FBML application to load its contents. But the tab actually loads a special application called “sleeps” (whose URI includes the string “heyhaha”). What does “sleeps” do? It displays the page you see on “THE PICTURE” tab. Why bother with a custom app simply to load static code? When you visit an application, it has access to your “publicly available information” (for new readers, that includes your name, networks, friends list, location, content marked available to “Everyone,” pages you’re a fan of, etc.) without you ever clicking a button or granting specific permission. While only Facebook could say for certain, I’m guessing that “sleeps” takes advantage of this access and takes note of everyone who stops by. (See update at the top of this post.)

Applications have to get their code from somewhere besides Facebook, though, and “sleeps” loads it from the charmingly-named web site “www.drysnuff.info”. By examining the full source code of the page, we can see exactly what happens when you click on fateful step 3. The page loads an inline frame that links to a file on drysnuff.info called cpa.php.

As I’ve looked at various scams and attack over the last year or so, I’ve often encountered a particular type of trick that involves a CPAlead gateway. I have no idea what the motives are of the people behind CPAlead or how trustworthy their company is, but I can attest that CPAlead gateways are constantly exploited by untrustworthy people who are looking to make a quick buck. Our sleep-inducing fan page is no exception: that “human verification gateway” is simply another CPAlead setup.

The gateway asks you to complete a survey, which loads in a separate window. Once you’ve finished the “offer,” the gateway gets confirmation and grants you access to whatever it’s hiding. But finishing the survey will likely require you enter a mobile phone number, a very common online scam that will lead to plenty of unwanted charges on your next bill.

And I can save you the trouble – in this case, it’s not hard to discover what you would see once the gateway verified your humanity. If five racy images of “The sexiest girls from MAFIA WARS” make you fall asleep, then you’re one of the 94%. (Update: Apparently that’s another scam from the same people, and using the hypnotizing fan page may take you to a different destination – albeit still fake.)

I took the time to walk through this particular scam for two reasons. First, I find it fun to explore the code and figure out exactly what’s going on (CPAlead employs several obfuscation techniques in their JavaScript, for instance). Second, this story does have some important ramifications. At first, it may appear no different from many other online scams that pop up when a user clicks some flashy advertisement. As I said, I’ve encountered CPAlead many times before, and other sites have written at length about the dangers of offers that require your mobile phone number.

What makes this case different, however, is the Facebook integration. The scam artists behind this fan page quite literally know who their victims are. When you simply visit the page out of curiosity, the owners know you by name, along with a link to your profile and some basic information about you. This happens whether you fall for the offer scheme or not. (See update at the top of this post.)

Also, several clues in the fan page indicate that its owners run other pages with similar setups. Given the number of advertising-driven fake applications I’ve seen, it’s likely they have apps as well – and if you visit one of those apps, all of your private information can be connected to your profile. Facebook requires developers to destroy most of that data after 24 hours, but has no way of enforcing or verifying compliance with that rule. It’s entirely possible that the swindlers behind all these cons have built a sizable database of information on millions of Facebook users.

I’m not trying to simply spread FUD (fear, uncertainty, and doubt) here. I cannot definitively prove these claims, but I think they are quite realistic based on my history of investigating Facebook applications and news stories on various scams and rogue apps I’ve tracked. And even if this scenario has not happened yet, the determination of past online scammers and the ease of executing such a setup lead me to believe it’s only a matter of time.