Gullibility of Facebook users continues to skyrocket in 2010

It appears that Santa Claus delivered some Facebook ugliness during the holiday season. Much of this ugliness was not lost on the site's legions of gullible users as they took to the site in droves and joined some questionable pages. I'm talking about fan pages not-so-fondly known as "scam pages." In other words, fan pages that leverage social engineering and make empty promises to deliver a service or prize but then do little more than spam other users or capture sensitive data. These types of scams could pose a security risk, but even if they don't they do pose a privacy risk.

The first one I ran across -- simply by reading my live news feed -- is a group that promises to deliver an iTunes gift card to anyone who joins the fan page and follows some "simple" instructions.

Joining the fan page, while gullible, is harmless enough. It's the "simple" steps that get you in trouble. It starts with a "requirement" that fans copy and paste some javascript into their browsers, which when executed iterates through all friends and selects them and invites them to the fan page. The instructions claim that you will not get your gift card until this is done.

The survey steps are a bit more tricky.

Next: The real deal, Facebook comment -->

At first when visiting the survey site (redirected from URL shortening site Bit.ly, which claims to closely monitor use of its services) a user is faced with a simple registration page to get their iTunes gift cards. Before that can be completed, however, a pop up appears requiring that the user take a short survey and would then be directed back to the registration page.

A closer review of the fine print on the fan page shows that in order to receive a gift card 1 million people must complete the survey, not just sign up for the group. Attempting to take the survey is when it gets really messy. It's not one survey; it's an endless stream of surveys that never end (I entered fake data into more than 10 of them before giving up). The surveys appear harmless enough (which "Twilight" character are you, etc.) but the survey writers were clever. One survey asks for your name; a couple surveys later your zip code; then a few surveys later, a phone number, and so on. This isn't harmless at all. This appears to be a money-motivated SMS scheme.

How? Best guess: The site is seeded through Facebook, social engineering its way through gullible users and their gullible friends. Traffic goes to the URL of the registration site which has an affiliate ID, users unknowingly sign up for SMS programs by entering their credentials and get charged premium SMS rates, the SMS service then likely pays out the affiliate that did the seeding in the earlier steps.

Not so harmless anymore, is it?

Who would fall for this? Well, by the time I found this page more than 70K people had signed up (upon finding this I reported it to a friend on the Facebook security team who immediately deleted the page). There's no way of knowing how many of these 70K people actually followed the additional steps, yet signing up itself is a sheer sign of gullibility. Last year I wrote about a fake Facebook group that got to more than 1 million users before it was reported to Facebook and shut down.

These scam pages are all over the place. As a matter of fact, one of the more popular ones popping up is a fan page promising the much desired Facebook "dislike" button. Same strategy: javascript to proliferate the page through Facebook, external link for survey, then after that survey is completed a person's "dislike" button would magically appear. Never mind the fact that Facebook would never introduce a new feature this way, how much sense does it make that a user would need to visit an external site to get this feature? Yet, before this page was disabled by the Facebook security team, it had more than 1,500 fans during its very short life (for more on this keep your eye on Tom Eston's SocialMediaSecurity.com, where he is doing additional research on the dislike scam). Update @ 9:32 p.m. PT on 1/6: Recent searching uncovered another "dislike" button group that currently has more than 250K members.

Simon Axten of the Facebook public policy team said that each week the site culls through tens of thousands of reported scam sites. For those folks who don't have direct reach into the Facebook security team, if they spot something shady they can report it via a link on the fan page and should categorize it as "advertising/spam."

Facebook is among the few social network sites that recognize that while users are gullible, the social networks bear a responsibility to educate said users so that they might not fall for these scams in the future. Axten offers the following tips:

• Be wary of groups with offers that seem too good to be true, especially if they ask you to provide personal information on another site in order to qualify.
• Be wary of groups that ask you to spam your friends with invitations to join.
• If you come across a group that you think is a scam, report it to Facebook immediately.