Facebook scam with a difference – Social Tagging Worldwide avoids rogue apps

Vigilant Naked Security reader Mike Greer, of Cedar Park, Texas, has brought the latest Facebook “profile viewer” scam to our attention.

We write regularly about this sort of scam, which is common on Facebook, on Twitter, and even on both at the same time.

One of the reasons people fall for these scams is that they promise to provide what sounds like useful data – a list of the people who are most interested in your activities. In particular, most of the scams imply that anyone who is stalking you is likely to end up at the top of the list of people who check your profile.

(Of course, the people at the top of the list might equally well be your closest and most trusted friends. But profile view scams sell better on fear than on comfort.)

Most scams of this sort persuade you to install a rogue Facebook application and give it permission to access your account. But this latest scam, centred around a Facebook community called Social Tagging Worldwide, takes a different approach.

The Social Tagging Worldwide page is much more direct. It tries to trick you into pasting JavaScript directly in your browser and running it. Naturally, this bypasses any checks which Facebook might apply to the script if it were served up from, or wrapped inside, a web page sourced from Facebook itself.

Claiming to be “The Official Profile Viewer Application”, the page offers you a link which brings up a Facebook dialog asking you to “complete a 5 second security check to confirm you’re a Facebook user”:

The instructions sounds pretty simple, and – unlike many other Facebook scams – don’t involve asking you to take a survey as proof that you aren’t a computer. The instructions may vary depending on your browser, but will look something like this:

The trick is that you aren’t cutting-and-pasting any sort of unique ID into your browser’s address bar. You’re actually pasting a piece of Javascript and asking your browser to run it for you:

This script fetches another script – one intended to run inside pages presented by Facebook. Indeed, if you paste the offending “unique ID script” into your browser’s address bar whilst you’re on a site other than Facebook – e.g. Naked Security – you’ll see a warning that the script needs to come from Facebook itself:

But if your browser is on the original Social Tagging Worldwide community page – which is hosted by Facebook.com – and you are logged into Facebook, the pasted script runs as if it were hosted on facebook.com. Your browser thinks – indeed, effectively knows – that you’re on Facebook, because that’s the domain of the URL you are currently visiting.

The offending script in this case is designed to invite all your friends to join a specific Facebook group. No need for a rogue application.

The moral of this story is simple: BE CAREFUL WHAT YOU PASTE INTO YOUR ADDRESS BAR.

When you explicitly enter a piece of JavaScript, you’re effectively authorising your browser to run that script in the context of the site you’ve just visited. You are effectively bypassing any sort of cross-site scripting protection which either the remote site – in this case, Facebook – or your browser might have in place.

Cross-site scripting is where you trick your browser into running a script from site Y as if it were officially from site X. Pasting a script into the browser side-steps any cross-site scripting protection because there isn’t really any “cross-site” behaviour – you’re manually injecting a script into site X and thus authorising it to run yourself.

Incidentally, if you do go through with the instructions in this scam, things proceed rather predictably.

You’re asked to perform another “proof that you are human” test, and this time – I’m sure you’ve guessed already – you need to take a survey. The survey offers a prize – I’m sure you’ve guessed already – of an iPad or an iPhone:

And to win the prize – I’m sure you’ve guessed already – there’s a cost. The advance fee you’ll pay to enter the “competition” depends on your location.

I’m in Singapore right now, where I was expected to send a pricy SMS and agree to accept SMS marketing:

By the way, there’s a simple, non-technical, rule which will protect you from almost all scams of this sort:

IF IT SOUNDS TOO GOOD TO BE TRUE, IT IS TOO GOOD TO BE TRUE!

Make sure that you stay informed about the latest online scams. Join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

While you’re about it, why not check out our Facebook security best practice guide? Learn how to protect your privacy and identity on Facebook.