Threat Research

Cartoon chaos on Facebook

Vojtech Bocek, 20 December 2018

Newly-discovered exploit designed to spread spam at scale targets Facebook users.

Facebook has taken down a scam targeting a large number of users that was designed to spread spam through user accounts. The scam was identified after multiple cartoon-style images portraying stereotypical relationship scenarios were shared in high quantities by Facebook users — often a reliable indication of shady practices. Facebook users in France were among those most affected.

The images (see example below) linked to malicious pages hosted on Amazon’s web-based storage service, S3. Once a user clicked on one of the shared images, they were redirected to a website and presented with a pop-up that asked them to confirm if they were over the age of 16. Meanwhile, the page surreptitiously shared a link to itself on the user’s Facebook timeline. If the user clicked ‘yes’, they were redirected to a page with “funny relationship pictures”.

The link quickly spread like a worm through Facebook, as each person who clicked the link also shared it on their timeline for more people to see.

Here is one of the images making the rounds on Facebook:

Translation: What life is like before you’re 30 years old and after you’re 30 years old

This is the pop-up that asked users to confirm their age after clicking on one of the bogus images:

confirm-you-are-16-facebook-spam-popup

Translation:  To access this site, you must be at
least 16 years old. Are you over 16 years old?

After analyzing the exploit, it appears that a bug in the Facebook API was responsible for allowing the malicious pages to create the carefully-crafted Facebook URLs that appeared on a user’s timeline, which was then shared automatically among friends.

Are Facebook users at risk?

It is currently unclear whether the scam intended to execute malicious activity such as phishing or malware. However, the malicious pages did not appear to be collecting personal information, such as Facebook login credentials. Browser extensions that separate Facebook from other websites also prevented this exploit from working.

It appears the bug in the Facebook API has since been fixed, and the link itself has already been erased by the social network platform.

Advice to Facebook users

Before the link was removed, there was little that Facebook users could do to prevent the link from spreading, as it appeared to be using a bug in the Facebook API. The good news is that the link was rather benign. However, it would have been the perfect candidate to spread a phishing campaign. In a circumstance such as this, our standard tips and guidelines apply.

The image text was displayed in French, which could have tipped off users in other countries. But as a final thought, would your friends really share French images like this with no comment attached?