Fast-Flux Facebook Application Scams

It’s nothing new: a Facebook scam message about an application that appears to come from friends, such as something that can show you who has viewed your profile. However, this scam nags the user to fill out surveys  and quietly sends the same message to all his or her friends.

Unfortunately, we see them every day.

Another fake application.

This week, I stumbled across a new level of automation with these scams.

The variations in the bait messages are nothing unusual, a quick message followed by a URL:

·         I've just seen who CREEPS around my pics the most here on Facebook! You can see who stalks you too! http://www.redire[REMOVED]com/stalker

·         I just saw who checks me out the most on Facebook! You can see who stalks you too! http://www.[REMOVED]redirectsite.com/stalker

·         I've just seen who STALKS me on Facebook! You can see who creeps around your profile too! http://www.[REMOVED]redirectsite.com/stalker

Example bait message.

The novel part here is that instead of just using a short URL link to point to itself–like all of the others do–the attack uses a remote site that acts as redirector. The target destination, in this case the URL of the malicious Facebook application, is chosen at random by the script from a pool of active links. This means that resolving the URL will result in a different Facebook application URL every time. Similar to the fast flux services that we have seen used by botnets for a while, the number of destinations used are in the dozens, and it appears that they are being updated over time.

This means that the user will end up at one of many different Facebook applications with different names which even use different remote resources–all set up by the script. The remote sites could be hijacked or created by the attackers themselves. They are all showing the Facebook icon as the favicon and have a subdomain name corresponding to the application’s canvas name. Three examples of the application URL, the application name, and the remote link can be seen below:

·         http://apps.facebook.com/iyayp[REMOVED]/

·         "Creepy Profile Peekers"            

·         http://iyayp[REMOVED]suniom.com/

 

·         http://apps.facebook.com/lxalz[REMOVED]/

·         "See Who Views You The Most"              

·         http://lxalz[REMOVED]il-realty.com/

 

·         http://apps.facebook.com/mspxq[REMOVED]/

·         "Your Top Stalkers"

·         http://mspxq[REMOVED]wholesale.com/

 

Facebook is doing their best to disable the new malicious applications as soon as they appear, but there are still a few active ones and new ones are being added–so be careful.

As usual, the user is asked to grant the application permission to access private information and to post to the user’s wall.

Once the user grants this permission, a new bait message is secretly posted to all of his friends with the link to the flux redirector. Meanwhile, the user is asked to complete some surveys in order to prove that he or she is human before the alleged profile stalkers are revealed.

In the end, no stalkers are revealed–instead, random people are listed because this feature does not exist.

As always, keep a vigilant eye out for such scam messages and do not install these applications. If you have fallen victim for such a scam then please go to your account’s Privacy Settings and remove the application from your profile.