Chris Alexander

On Engineering

Proof People Will Do What You Tell Them On Facebook

15th January, 2010

I have found yet another instance (I could literally start a blog about these, but it would take over my life) of a social engineering attack which has been working its way around Facebook.

It contains all the necessary ingredients - suspicious looking group; invite all your friends scam; adverts and questionnaires all over the place.

The latest attack starts off by offering a free laptop under the guise of a company that needs to get rid of them quickly - suspicious from the outset.

Next it walks the “victim” through inviting all their friends to the group. A now all-too-familiar piece of Javascript is executed in the address bar, which automatically selects all the user’s friends to send the invite too.

This is said to “unlock” the short URL, which of course is rubbish - you can go there anyway.

On visiting the page, there is a piece of code that you may have seen on other scam sites recently - one that takes over the whole page, and forces the user to perform a questionnaire before they can access the form.

Needless to say this is a simple money making scheme.

Posting the form off (which of course I didn’t do - please don’t try this at home) yields an interesting message that they will be sending you some post you have to send back again. Presumably its something illegal. I wouldn’t be surprised as more and more people start getting broadband connections and joining social networking sites, these scams will continue. Hopefully people will undertake due diligence to prevent the propagation of such things.

Play safe on Facebook people. Remember not to enter any code and execute it unless you understand what it will do, enter your personal details or take questionnaires on unknown websites, and please stop inviting me to these groups.