Facebook chat spam uses friends to fool users

Less than a month ago, Facebook chief technology officer Bret Taylor announced the site had cut spam by 95 percent, but as Facebook gets smarter, so do the spammers.

Last summer users began receiving messages from friends on their walls and in their inboxes that read, “LOL is this you?” with a link. These posts played into people’s fear or excitement that they were being talked about somewhere on the Web and compromised many accounts. Once a user had heard about this phishing expedition, though, they were unlikely to engage with it again. The message was always the same and therefore easy to spot.

But recently, users have begun receiving a different kind of spam on Facebook. On two separate occasions I was chatted by friends I hadn’t heard from in a while (see below). The chat on the left came a few weeks back and the one on the right came on February 14. The former started with a “Hi! How are you?” When I responded that I was well and asked how my friend was doing, “I want you to try something real quick,” popped up.

This chat was under her name and had her profile pic next to it, so I didn’t question if this was real or not until “she” asked me to take an IQ test. I responded that this must be spam, but since the script can’t tell what you’re responding with, just that you’re responding, I got this message: “lemme know what ya get please, so far everyone beat me except for Adepeju LOL some of the questions are tricky.” This referenced our mutual friend from high school, which means the bug not only knows who your friends are and when you’re interacting with chats, but it also knows the friends you have in common with the hacked account. This combination of technical fraud and social engineering can give users a false sense of security when interacting on social networking sites. If the script knows your friends, it may know and use any data you’ve entered on the site to manipulate you.

Frederic Wolens, of Facebook’s Public Policy team, says they have a “large team of professional investigators who quickly remove these when we detect them or when they're reported to us by our users,” but declined to comment on this scam specifically.

Gary Warner, the Director of Research in Computer Forensics at The University of Alabama at Birmingham, spends much of his time tracking down perpetrators of Internet scams for the FDIC, Homeland Security, the FBI and others. At our request Warner looked into this bug and discovered it first appeared on Google, “This script was able to log in as you on Gmail then check to see if you had chat installed.” It spread from there, prompting users to take IQ tests on over 20 different domains.

Warner said that in terms of Facebook this scam could be operating in one of two ways, either by taking over accounts as it did with Gmail or infiltrating the Facebook apps system, which allows third party applications to message people you know. If it is in fact the latter, users can stay vigilant by checking their applications regularly to see if any of them were installed without their permission.

This referenced our mutual friend from high school, which means the bug not only knows who your friends are and when you’re interacting with chats, but the friends you have in common with the hacked account.

Oz Sultan, a marketing and social media consultant, traces the root of this bug back to the redesign. “The new Facebook pushes chats to the forefront. You’re hard pressed to find people now who remember what the old Facebook looked like, but chat wasn’t easily accessible.” Facebook chat is more vulnerable now than ever since it began using Jabber (XMPP), an instant messaging platform that is supported by most instant messaging software and therefore allows you to integrate your Facebook chat with other types of instant messaging.

Here Abhinav Singh explains how to create and implement a chatbot on Facebook, an option made possible by the adoption of this new platform. Sultan said the best way to protect yourself against this spam is by not clicking on shortened links in chats and only becoming friends with people you know. If a friend sends you a suspicious chat, ask them a question a bot would not be able to answer. Just make sure the information isn’t available in your profile.

Right now these chats can’t respond to what you’re actually saying, but the next iteration could. AOL’s Eliza was an early artificial chat program that had therapy-like conversations with users. This technology could be used to further convince unsuspecting users that they are talking to a human being. Wolens says Facebook is working on a way to automate the flagging of these types of scams so they can take action immediately, when and if they discover the truth.

Alex Leo is a writer and internet enthusiast living in New York City. She was a senior editor at the Huffington Post and has appeared on CNBC, NPR, and Good Day New York. Before that she was an associate producer for ABC News.