Facebook "Like Pages"

Published: 2010-09-16
Last Updated: 2010-09-16 16:55:24 UTC
by Johannes Ullrich (Version: 2)
10 comment(s)

I am seeing a trend on Facebook recently, and I am not sure what to make of it. As we all know just too well, Facebook has a "Like" feature. This feature, a little button associated with a post, allows you to show agreement with a post. Lately however, I am seeing more and more posts like the following:

I covered up the parts identifying the friend of mine who posted this. A few things make these posts look "suspect": The post itself links to a domain "x.co". This is not the only domain used for these posts and it isn't obvious if they are all related (but many are). Another domain associated with x.co is for example thelikepage.com.

Once you click on it, you are offered a large number of other "provocative quotes" and offered to "like" them. At this point, I am mostly asking "what is the point"? Is it just an attempt to direct Facebook users to ad-covered pages? Or is there something more sinister at play? I don't see any exploits like click-jacking or cross-site-request-forging used. These pages also do not phish your credentials like some other similar pages.If you got an opinion or any further inside, please let us know.

Update: Just a quick summary of some of the feedback we got so far. Too much to mention every single one (Thanks BTW!)

Nobody has seen anything malicious from these URLs yet, so it appears to be just "Spam", maybe search engine optimization techniques to get these pages linked and ranked higher. A couple readers noted that unlike a regular "like", it is not so easy to remove these notes from your profile. You need to go to your "wall" page and remove them. You can not remove them like normal "Likes" from your "Newsfeed".



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

10 comment(s)


I'd say that they're building people's trust but then again I think they've pretty much built that already.
I'm also wondering what's up with all of this and what could they be looking for. The other thing about facebook that doesn't generate too much trust is the permission that people give to the different applications, when people say that their account has been hacked because a lot of spam is being posted I strongly believe that in fact their account hasn't been hacked but that they've permitted an application to post to their profile and it's doing so...
I'm thinking the same thing as lmurillo. It's the calm before the storm. Once all this "liking" is deemed safe, and all caution is thrown to the wind, I expect we'll see something more dangerous or at least sneaky.
Johannes, this is the reason your https google packets weren't getting any attention. This one's more fun :)

Some of the things it could be?

The words in the "provocative phrases" could be calculated to produce an emergent behavior, re: page rank, once spammed across a billion facebook pages

Could be the worlds most brilliant steganography implementation

Could be the setup for a bait-and-switch

...but I'd wager it's Yet Another ICanHazCheezBurger Clone; hands-free content generation for the purpose of click-thrus of that lfstmedia.com banner at the bottom.
We had a discussion a while back about these type of posts because someone was inquiring about how to permanently block them from her FB feed. It seems that some of these sites have been around for a while, and is just mindless fun, but they are now taking advantage of the Facebook Connect (or whatever they call that like-a-webpage feature) to try to spread and get more people to like a specific phrase (I guess for bragging rights).

I agree with ASB that it wouldn't be that hard to create a similar site to host malware or other crap from in the future, once people accept it as annoying, but safe.
I think this could be a setup purely for SPAM purposes. Depending on how the "like" is presented, they could potentially now have access to post anything on that user's page at their leisure. I see where this could be marketable after thousands of "fans" have associated.
Write-up from their dev page (http://developers.facebook.com/docs/reference/plugins/like):
"If you include Open Graph tags on your Web page, your page becomes equivalent to a Facebook page. This means when a user clicks a Like button on your page, a connection is made between your page and the user. Your page will appear in the "Likes and Interests" section of the user's profile, and you have the ability to publish updates to the user."
I've actually seen a dramatic decline among my FB friends - only two such posts in the past week, whereas before it was more like 10 or so. Don't know if people are started to be annoyed by it and blocking the site.
From what I can tell, it's most likely a form of fingerprinting. You can tell a lot about a person by what they "like".
This fingerprinting can then be used for password guessing but most likely slated at "targeted advertising"...
How many warnings have we seen over the years when they say "This is not remotely exploitable; the user must be tricked into clicking on a malicious link".

How quickly would you click the "Like" button below: "[your close friend's name] likes TO SEE HER EX SPILL HIS BEER (like)".

At first you think you are "liking" a status update. Even if you realize it is a phrase, you might still "Like" that phrase.

Pretty soon that "Like" button will end up being the malicious link we are trained to not click on.

Pretty soon "Like" buttons will be all over the net. We will be like lemmings, clicking on "Like" because everyone else clicks on "Like", no matter what site we are looking at.

You think THIS is bad... wait until FB installs a true "DISLIKE" button. The internet will break all mouse-click records, just moments later :(

- http://www.avg.com/us-en/press-releases-news.tpl-mcr7.ndi-232491
Sep 15, 2010 - "... AVG Threat Labs analyzed the safety of 50 global social networks, finding that:
• Looking at 50 top social networks worldwide, there are 19,491 compromised web pages
• Of these 11,701 are on Facebook - the world’s largest social network
• YouTube had 7,163 compromised web pages ..."
In doing some research on deploying video using ustream, brightcove, livestream, tokbox, and a whole host of others; my laptop was taken down so fast with malware it wasnt event funny. All of these sites cross post with each other and it must be a feeding frenzy overseas for those wishing to compromise machines. I don't understand 'how' this can happen but i quickly needed to buy a dedicated machine for this type of experimentation with social media since it is quite the 'wild west' at the moment.

Diary Archives