Original URL: http://www.theregister.co.uk/2011/04/12/photo_lure_survey_scam/
Facebook photo-tagging trick used to lure emo kids to survey scam
Clickjack ruse targets melancholy Twihard teens
Posted in Security, 12th April 2011 08:48 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Facebook survey scammers, the hardest-working crooks in cybercrime, are exploiting Facebook's loosely-controlled photo-tagging technology to develop more attention-grabbing scam lures.
The starting point of the scam commonly appears with users finding themselves tagged in their online friends' photo albums.
Clicking to investigate further will lead to a link seemingly promoting a game based on the upcoming movie Twilight: Breaking Dawn. Other themes have also been seen, for example [1] pictures of food sold at the Olive Garden restaurant chain, posted without permission of the eatery.
In reality, no Twilight game nor pictures are on offer. Would-be marks are simply encouraged to install a rogue application that earns scammers money by encouraging users to complete a worthless survey. Once granted permission, the rogue app messes around with a users' photo album and claims that the user "likes" the rogue app, among other things.
The rogue application uses clickjacking techniques to further its mischief, as explained in a blog post by Sophos here [2].
"Unfortunately, Facebook doesn't prevent third-party applications from tagging your friends' names onto photos on your wall – even if there are no people pictured in the photograph," explained a Sophos spokesman.
The attack follows an assault [3] using an image of a Playboy-style bunny girl, again ultimately designed to promote a survey scam. ®