Facebook Viral Videos: TapeWorms, Trojans and Obfuscation
This YouMoz entry was submitted by one of our community members. The author’s views are entirely their own (excluding an unlikely case of hypnosis) and may not reflect the views of Moz.
Did you know that my friend saw my sex tape on the web and messaged me about it on Facebook?
Neither did I.
(The "Yada" tracking and other garbage have been edited out to avoid helping out by sharing potentially useful variables.)
The first ever instance of Facebook spam that I saw was a generic wall post inviting the recipient to go check out ringtones. At first my reaction was literally, "What a douchebag, and what a crappy affiliate! Who spams generic ringtone messages to their friends? No way that converts."
I didn't think any more of it until this past week.
In the wee hours of Monday morning, I logged in to Facebook and found out that my friend had apparently seen me in a video. I had just found out that a friend was in town from Hungary, and I thought that after seeing the back of her head from a distance, I figured it was possible he'd similarly seen me in the background of something or from a distance and was wondering if it was me. So I opened the PM.
The paranoid amongst you will surely have noticed that those URLs are awfully funny looking with all those % signs and numbers in them. At first, seeing the preview screen view, I thought it was legitimate and went to YouTube. Then I clicked to open the PM and realized that even YouTube's ugly, random alphanumeric video URLs aren't that bad.
The links go to .com.pl addresses, though naturally they might be redirected elsewhere.
Poland? Hmm. Looks like a knockoff of a Chinese design.
How are these messages being sent then? It seems that the messages come from the actual accounts they purport to be from. Therefore, the conclusion is that these accounts must have been broken into. One blog post I read blamed folks who give away their passwords to friends and family. That's hardly the issue.
There are two ways that accounts are being hacked, as far as I'm aware:
- Phishing emails (also possible to do through Facebook PMs). You get an email with a fake Facebook notification; when you go to login, the phishing site captures your email and password.
- Links to fake videos, like those links shared above, eventually result in a trojan being downloaded to the user's computer. Either the link brings users to a site that pops open an iFrame and installs a trojan virus on the user's computer or, alternately, when the user hits the site and clicks play, they're told to download the latest version of Flash...only the installer they're offered on the spot isn't for Flash, but rather for a trojan virus. Videos. Viruses. Tapeworms. Get it? :)
Do you want to know why this works? Do you know how advanced whitehat viral marketing practitioners are learning from things like this and adapting them to their practices?
First of all, you can get into any club for free by becoming the DJ. You don't need to play for real, of course.
More seriously, here are some key takeaways:
- Viral marketing like this is based largely on people's motivations and influences. There are a number of hooks you can use, but some obviously work better than others. IMHO, since you often want to go for mass appeal, targeting motivations lower down on Maslow's hierarchy will enable you to reach a broader audience. See the post on motivation and influence I just linked to for more info.
- Consider this post, where the main hook is fear: http://www.joeaudette.com/beware-of-social-engineering-email-attacks.aspx. Similarly, I was recently forwarded the stupid Facebook chain letter about Facebook becoming overpopulated and pruning inactive users 8-)...
- A nice list of particular beliefs and biases people hold is on this Wikipedia page: http://en.wikipedia.org/wiki/List_of_cognitive_biases
- Observing how people interact and use stuff is one of the most powerful techniques around. If I had to guess, the folks who came up with these attacks were probably legitimately asked by their acquaintances whether this was them in some picture's background. Extrapolate and voila - TapeWorms. In a less sinister way, my blackhat SEO friend pointed out to me that on Sphinn, the first 32 characters of your title matter most. Why? Because people pay attention to the 'Hot in Upcoming' sidebar, which displays up to 32 characters of your title.
- With regards specifically to sharing, it seems that certain motivations are more often present than others. The more popular ones seem to be:
- Curiosity - "Is this really your sex tape?"
- Fear of negative consequences - "I don't want to get booted from Facebook!", "Forward this email or expect a horrible love life and lots of acne for the next 10 years!!!"
- Altruism - "Don't get booted from Facebook!", "For each email forward, Charity X gets $0.02."
- Greed - "I'm a newbie affiliate marketer and a douchebag manually spamming his friends' walls...", "Insert Multi-Level-Marketing pyramid scheme here" (See: http://en.wikipedia.org/wiki/Multi-level_marketing for a full rundown on MLMs)
Here's the advanced search quadrant for the past month on the query Facebook Spam, for further reading.
http://www.google.com/search?as_q=facebook+spam&as_qdr=m
Some choice pickings in the lot:
http://www.theregister.co.uk/2008/08/01/myspace_facebook_worm/
http://securitylabs.websense.com/content/Blogs/3162.aspx is an excellent piece; the CSS is a bit broken in Firefox so scroll down a wee bit to find the post.
http://www.websense.com/securitylabs/images/alerts/honeyjax_defcon2007.pdf shares a new technology to detect spammers' efforts, as part of a broader presentation on web 2.0 and the security risks engendered by user generated content.
If you liked this post, get YOUmoz's RSS feed for more quality material!
Comments
Please keep your comments TAGFEE by following the community etiquette
Comments are closed. Got a burning question? Head to our Q&A section to start a new conversation.