Counting Facebook Scam Applications

In order to see what is happening in social networks, I sat down and analysed about half a million wall posts from people who have their profile public and visible to everyone over the last month. Obviously this represents only a portion of all the messages posted by all the different users, for example the private posts only visible to friends were, of course, not monitored. Still, it is a good representation.

My first finding was that 21% of all the messages that contained a link pointed to a Facebook application, either through a URL-shortening service or by a direct link. Of those, 73% were actually scams or malicious applications.

Applying this to all the posts assessed reveals that around 15.6% or 1 out of 6 messages with a link that points to a malicious application. Therefore the chances that you may stumble upon such a message are relatively high.

While most of these individual campaigns do not last long, as the security team of Facebook removes the offending app and posts quickly, the attackers simply launch a new campaign. As we reported in earlier blog articles, we have seen fast flux toolkits used in such attacks as well.

In the monitoring period, 30% of the malicious application posts were generated by malicious fast flux applications, using external redirecting services to point to one of a hundred different applications. Once an application goes offline, a new one emerges. The “valentine” scam alone used more than 650 different malicious applications. In addition, other toolkits are used, sometimes legitimate marketing instruments with a wrapper script around it to let it go berserk. For example, the popular iNeoApp 1.06 toolkit was responsible for 33% of the scam applications we saw.

Funny enough, it seems that even the easy-to-use viral Facebook application toolkits are too complicated for some of the attackers. As an example, we saw the following well known “my profile was viewed X times” scam in French, which still contained the randomized parts in its original form. The regular expression-like notation is normally used to vary the content of the message each time, by selecting one of the different options automatically. Here it obviously didn’t work out.


So you see, I could warn you here about clicking on messages with subjects like:

  • Wooooho ! Thanks cityVille I got my 6,000 City Cash hxxp://****/
  • My total facebook views are: 6000 Boys views : 3109 Girl views : 3290  Find out your total profile views @ hxxp://***
  • WOW I cant believe that you can see who is viewing your profile!I just saw my top 10 profile peekers and I am SHOCKED from who is viewing my profile!You can also see WHO VIEWED YOUR PROFILE here: hxxp://****/
  • has wasted 495 hours on facebook!\n\nSee how many you've wasted at hxxp://*****/

But taking the volume of new scams appearing, it nearly feels pointless to do so. Rather, stay vigilant with any message you receive from anyone in social networks, including your friends. Usually the sensational images or videos are not worth the risk, especially if it involves installing an application.