How To: Detect Facebook Spam

Spam is everywhere and Facebook is no exception. In fact, spammers are constantly stepping up their game by tricking unsuspecting Facebook users to participate in quizzes, games, apps, or "new features" that are actually dangerous computer viruses, spyware, or other trojan horses in disguise. Their attempts even trick people into unknowingly becoming spammers themselves.

One semi-recent example is the Facebook "dislike" button, a tool that did not exist. There were scam reports of users being invited to download the button, which led to a rogue application that could gain access to profile information and even post more spam messages in your name. It was also reported that these invite links would lead to online surveys, which the spammers were paid for.

The latest scam invading the walls of the popular Social Network claims to have a tool that allows you to see who's been viewing your Facebook profile. One conspicuous example of this type of spam manifests its self by posting the following suspect message to every friend of its victims:

"OMG! Its unbelievable now you can get to know who views your facebook profile.. i can see my top profile visitors and i am so shocked that my EX is still creeping my profile every hour. click below".

Another example looks like this:

More common spam contains links to free iPads or whatever the hottest new item on the market is—seemingly posted by your friends who give it a ringing endorsement. But more than likely, if it's a link to something too good to be true, it's spam.

Some more recent spam even asks you to copy and paste code into your URL address bar. This is obviously something to avoid. I've asked our own CTO here at WonderHowTo, Bryan Crow, to give some insight into how to detect what's safe, and what's not. This is what he had to say:

1. Beware the Bookmarklet

Requests that require you to copy and paste a URL that starts with "javascript:" into your address bar activates a javascript command. This could appear on your wall as text to copy and paste, or in the form of a swf file that tricks you into clicking on it, revealing the copy and paste code. Do not copy and paste anything! Whenever you activate the javascript (also referred to as a bookmarklet), you are willfully executing the author's own code on whatever webpage you're currently on, effectively giving them permission to act on your behalf.

It's worth noting that some javascript bookmarklets are harmless fun. Others are useful and trusted, but the fact remains, if you execute one, the executed code will have full access to the cookies from whatever website you're currently on, so you really need to trust the source.

If you know a little about javascript, you can take a look at the code and see if it loads more code from somewhere else. If it does, you can follow the trail to see exactly what it does. If you aren't familiar with javascript, it's always safest to just stay away, or browse to a website that doesn't have any personal information about you first (ex: enter "about:blank" into your address bar first).

If I were to guess, I'd say that 99.99% of bookmarklets that ask you to execute them on Facebook, eBay, Gmail, or any other "secured" site that contains personal information about you, are most likely sneaky ploys to steal information about you without your knowledge. It's possible that they'll also act on your behalf in the future by spamming your friends, asking them to install it, or worse—by secretly making you load another webpage in the background that makes them money—maybe even prompting you to install some cleverly disguised spyware.

Bottom line is, if you're ever sent to a webpage asking you to copy and paste the included code in the address bar on any of your Facebook pages (as in the below image), you can be pretty sure it's a scam.

Spam links (for tools that promise to reveal Facebook page "stalkers", etc.) can also be bookmarklets in the form of hyperlinks, a quicker version of the above instance. But most times they'll just be links to online surveys or malicious spyware.

2. Don't Trust Banners that Claim to Have Scanned Your Computer

One of the most common tricks to get people to install spyware is to show a banner telling a user that they have spyware, then asking them to install their "spyware cleanup software", which is actually, in itself, spyware. These also come in the form of a banner telling you it can "fix your javascript errors", or telling you that your computer is infected. They almost always flash red, putting on an overly-alarming show in an attempt to scare you. Don't trust it. If you're truly worried that your computer may be infected, use a trusted scanner, like McAfee, Norton, or even the 100% free Microsoft Security Essentials.

3. Be Careful if You're Asked to "Sign Back into Facebook"

If at any time you're asked to "sign back into Facebook" in order to watch a video, take a survey, or play a game, it's a telltale sign that the site you're on is phishing for your password. Real Facebook accounts can sell for big bucks on the internet black market. Don't be fooled into handing over the keys.

Legitimate sites that allow you to login using Facebook connect will open a window where the URL in the address bar will start with "facebook.com" as the domain name when they prompt you to authenticate. Never type your Facebook password in a web page if the address bar shows any other domain name. If you're already logged into Facebook, a site that uses Facebook connect won't prompt you for your password. It'll just ask you to grant it permission.

4. You Can Always Choose Not to Allow a Facebook App Access

If a link to a survey happens to be to an app, and if you're not sure you trust it, simply deny it access to your information. Just remember, any time you click the allow button, you're giving that app permission to access any information you've posted about yourself on your Facebook profile. That doesn't necessarily mean the app will do anything with it. But if you're unsure of the source, it's better to be safe than sorry.

For more ways to protect yourself from harm on Facebook, check out our article on protecting your Facebook profile.