I’m Rameerez, the creator of digital startups like Hustl that are used by companies like Uber, Adobe and thousands of people around the globe. I’m now working on Guard, an AI that fights for your digital privacy. Follow me on social for behind the scenes updates!

Spamming on Facebook: advanced techniques

Apr 26, 2016  ·  2 min read

Just kidding, it’s not advanced. It couldn’t be more freaking far from fine engineering. But hey, it works. They have discovered a new “security flaw” (not really, more like a “out of my jurisdiction” scenario), and they’re exploiting it to spam on your Facebook profile.

Or maybe not yours, if you’re sharp enough, but I’ve been seeing stuff like this on my timeline for a few months:

fb-spam-post-blurred
I’ve only seen it in Spanish posts, so translations will be provided

Hmm, that’s weird. That person wouldn’t ever comment “lovely”, much less on a post like this one. Let’s see what is it.

Shameless plug

On a side note, do you consider yourself a creative person?

I do, but for a long time I was frustrated because I couldn't find any clothing brand that allowed me to fully express my creative essence and soul to the rest of the world. That's why I created MINDLESS: we make cool T-Shirts specifically designed for creative people.

You won't regret having a look around. And just because you're already a reader of my blog, you can use the coupon RAMEEREZ_BLOG_2020 to get 15% OFF your order!

That's it, sorry for the shameless plug. Back to the post!

fb-spam-human-verification.png

What? Why should I prove I’m a human to enter a stupid blog post? There’s something smelly about this site.

fb-spam-wp-tagline

And no, it’s not only that they didn’t even have the decency to remove the default WordPress tagline. Let’s check the full URL, what’s that thing at the end?

fb-spam-url-parameters.png

That’s definitely smelly. So, a “regular” blog post URL should look like this:

http://mygreatblog.com/whatever/post-title

Or something along these lines. What we find at the end here is two parameters the URL is carrying, additional info that the site is using. More precisely:

fb_action_ids = some id
fb_action_types = og.comments

Basically, it suggests that the Facebook user/app to which belongs that “action ID” is trying to submit an action of type “comments”. Wat.

Let’s inspect that smelly “human verification” text box…

fb-spam-iframe.png

Just what I was expecting. That’s no human verification form. That is an iframe, an external resource embedded in the website. And it seems to be from some “Facebook Social Plugin”. And a log message in the JavaScript console log, indicating they have some kind of visit tracking system. Shoddy work here.

In a nutshell: they have disguised a Facebook Comments box as a humanity verification box: when you click “Enter”, you actually submit that comment on that post using your Facebook account.

What happens next is that Facebook tracks that activity and automatically post it on your friends’ timeline. What struck me the most is that it leaves no track on your FB Activity Log.

Screen_Shot_2016-04-26_at_16_39_32

So, no way of deleting the comment I just posted. Profit for the spammer, shame for Facebook.

And that’s pretty much it. The reason I do this is because I strongly believe that running a “business” based on fooling and tricking your users/customers is just fucking not okay. It’s rotten, unfair and shows an absolute lack of a winner mentality (apart from being probably illegal, morally questionable, non profitable and an endless list of nice things to describe it)

Plus, as any other “security flaw”, I just wanted to uncover it so users can be aware of it, not only malicious people, and therefore protect against it. Hopefully even Facebook notices it and fixes it.

Be careful, intrepid Facebook users. Not everything is as it seems out there.


 

PS: Pro tip, run a whois query on the domain name, you’ll even get the personal number of the guy running that shit.

Oh, and by the way!

I'm most active on Twitter and Instagram – follow me to stay in the loop.

But if you really wanna be above the average, join "The Hidden Report", my exclusive monthly newsletter, and get access to behind-the-scenes stories and confidential metrics. You'll get my secrets directly in your inbox, and you'll be the first one to know about private betas, free early releases and future launches!

Btw – no, I won't send spam, why would I do that. Plus, you can obviously unsubscribe anytime with a single click.

Leave a Reply