Scammers have been taking advantage of Facebook's photo-tagging capability to get their spam links in front of as many people as possible.
There've been several scams recently on Facebook where users discover their friends have tagged them on a photo. This is not malicious in itself, since that's what friends often do. However, when the users click on these links to see the image, they are sent to a malicious application, either a survey scam or a video site, and the same message is posted on their Walls. This time, their friends are tagged in that image.
A lot of these scams are in circulation-just ask Marc Benioff, the Salesforce CEO. Based on a screenshot posted on URL-shortener and content sharing site Ow.ly on April 13, it appears that Benioff was tagged in a friend's photo album containing a racy image of a scantily clad woman. The message accompanying the link encouraged users to click to view a video.
This kind of scam "seems to happen on a weekly basis," Benioff told eWEEK. He cleaned up three such links from his profile page yesterday and one today, he said.
In this instance, Benioff added a new "friend," who then posted that tagged photo, he said. Many of Benioff's photos on Facebook are actually ads and things the partners "are trying to get me to see," he said. "It's the cost of having 5,000 -friends,'" he said.
When he encounters these images, he "unfriends" that friend and tags the image as spam to alert Facebook, Benioff said. "Hopefully that does something," said Benioff.
Benioff's profile page is fairly restricted and requires people to request to be added as a friend. His fan page has over 5,432 fans.
On the Naked Security blog, Graham Cluley, a senior technology consultant at Sophos, recently described three different photo-tagging scams. They included girls dressed like bunnies, food photos from restaurant chain Olive Garden's menu, and photos from the vampire saga Twilight. This is a "change from their normal tactics," Cluley said as it exploits Facebook's "loosely controlled" photo-tagging feature with social-engineering tricks to succeed.
"Scammers can spread messages and adverts virally across Facebook with a high level of confidence that your friends will see them," Cluley said.
Facebook doesn't give users a way to stop people and applications from tagging photos with their names. Cluley said it was a "basic privacy option that is essential for Facebook," but noted that there was almost no chance of it being added, as Facebook is moving toward automatically tagging photos using face-recognition software.
When users click on the offending link, they are often prompted with the standard Facebook application message asking permission to access user information and post to the wall. Accepting this message spreads the spam to the user's friends by tagging the photo with their names.
If a user accidentally clicks on the link but doesn't authorize the application to access their profile, they will avoid spreading the spam. If the user does fall victim, they should immediately revoke the rogue application's permissions from their settings, Cluley said.
After the message is spammed out, users may see a malicious video or be asked to fill out surveys for prizes and money.
Photo-tagging is a "loose end that can bring unwanted information to your page," Benioff said, but "that's life on Facebook. You have to self-police."