Spammers are using Facebook Events to trick users into completing online surveys, taking part in online contests and perform other tasks which allow spammers to generate commissions. In some cases, users are also tricked into giving up their mobile phone number, which is then automatically signed up for expensive premium services.
According to multiple security firms, spammers using Facebook Events to promote their links have been highly successful in their efforts to dupe unsuspecting users thus far. According to a report from TrendMicro,”tens of thousands” of users had mistakenly registered for one spammer’s event. Meanwhile, Sophos found an example where over 10 million Facebook users had been targeted, and over 165,000 had accepted.
Event Spam: Bogus Events with Link-Bait Titles
TrendMicro’s fraud analyst Paul Pajares says that spammers have turned to Facebook Events instead of posting their links to users’ walls where they can “easily get lost in the News Feed.” These bogus events often have tantalizing, link-bait titles like “How to Find Out Who’s Viewing Your Profile” or “Who Blocked You From His Friend List?”
For the record, Facebook doesn’t allow you to track profile views or blocks, either through its own user interface and feature set or via third-party Facebook applications. Facebook even explains in its own online Help documentation that “blocking someone is completely confidential,” and that no one will ever be notified that they’ve been blocked. It also does not permit third-party applications to track this information, either.
In addition, any application that claims it can show you who’s been viewing your profile should be reported, Facebook says in a separate FAQ (frequently asked question) available here.
However, despite the ongoing issue of Event spam, Facebook has not updated its Help documentation to refer to both applications and events. The pages only mentions apps.
That said, any links promoting such activities should be avoided at all costs, no matter the source.
Facebook-Scale Spam is Very Successful
In the case of one event (“Who Blocked You…”), security researchers found that 10.3 million Facebook users were targeted and over 165,000 of that group had been duped into accepting the event invite.
Not all of these fake Facebook Events appeal to users’ egos, however. Some just use the tried-and-tested social engineering technique which promotes something (a video, photo, etc.) you have to “see to believe.” For example, one event reads “You will NEVER send a TEXT after seeing this VIDEO!” and the event’s wall says “This is a horrific video!” followed by a link where the video can (supposedly) be viewed. At the time that Sophos uncovered this scam, over 13,000 users had “registered” to attend.
How the Scams Work
Once on an Event’s page, users visiting the “More Info” section are provided with instructions on how to find out the answer to the question the event promotes (e.g. who blocked you, who’s viewing your profile, etc.) The final step, of course, is clicking the spammer’s link.
This link is obfuscated using a URL-shortener like bit.ly, which takes a longer link and compresses it into a shorter one that redirects to the site in question. Bit.ly and other services like it grew in popularity thanks to Twitter, which limits the number of characters in its status update field to 140 characters. For Twitter users sharing news and other links with each other, these services are invaluable. However, for spammers, the shorteners can hide what would otherwise be questionable domain names and URLs from potential scam victims.
As a best practice, you should avoid any event invitations of a similar nature, even if you see a friend promoting them on their own Facebook Wall. The tricky, bogus events being used by these cyber criminals also automatically reshare the Event’s link to victims’ own Facebook pages. If you see something like this, you may want to inform your friend that they were a victim of a spammer.
Update: An earlier version of this article implied that the problem of Event spam was a new vector for Facebook spammers. However, this is not the case. As you can see here, spammers have been using events for months now. The examples cited by the security researchers, however, are new. Screenshots show spam events with dates in March, April and May 2011. Due to these particular events’ success in duping users, the researchers felt it necessary to again highlight the problem.