Last week we talked about fast-flux attacks that were created by a Facebook toolkit. That particular scam wave was able to be active for more than a week, referencing more than 250 different malicious Facebook applications. There are many of these toolkits being used to spam Facebook such as Tinie, Arber, fbexpert, and NeoApp.
Toolkits and scripts are exchanged in underground forums, freshly generated accounts are traded, and tips are posted on how to lead users into clicking ads or filling out commissioned surveys. Of course this is not new—automated Facebook “Like” scripts have been around for a while. However, we have observed that the toolkits used are getting more sophisticated and easier to use.
Take a currently popular viral Facebook application toolkit called NeoApp as an example. It is being sold for $50, but can be found for much less in specific places. Similar toolkits like Tinie or Arber, it consists of a few PHP scripts that can be used to generate Facebook applications. Once a user has installed this Facebook application, granting it permission, he or she will show up in the administration panel of NeoApp. From there the culprit can send randomized messages to this user and his or her friends—all through automated posting job queues, statistic pages, and easy-to-use templates. This pretty much allows anyone, even those without coding skills, to create a fast-spreading, viral message on Facebook. Obviously, this is a tool that could be used as a legitimate marketing tool, but also as an annoying viral Facebook application creator for survey scams, as we unfortunately experience every day.
The toolkit even explains where to place links to funny videos and where to put the survey links in order to maximise the cash back. As the advertisement clearly indicates, the motivation behind the toolkit is to make money.
Having spreading spam messages that point to survey scams is one thing, but obviously since the user has to grant the application access to his or her private data, there might also be a privacy issue. The toolkit will store the received personal information in a database where the admin can extract and misuse it for whatever he or she has in mind. This data can even contain the private email address of the user, which would allow traditional spam messages to be sent with the personalized touch of knowing the real name of the user and the names of friends. This could generate some convincing spam emails. Of course, this is against the usage policy of Facebook, but I’m not so sure if those scammers really care about the policy, since the application violates the policy as well.
Facebook has a dedicated team hunting for these sorts of malicious applications and shutting them down. Unfortunately, with the vast volume of new ones appearing, there is still a good chance that you might run into one. Therefore, as always, be vigilant. There should be no need to install an application just to see a funny picture, so keep away from those sorts of tempting applications. If an application requests access to your personal information, think twice if it really needs to have access or if it might just be another scam.