Facebook Scam – Stalker Application or Creeper Program is Hoax and Password Stealing Phishing Scheme

Technology > Facebook Support

Summary. The following Facebook report is from technology specialist Gregory Johnson.

Moments ago, I had a friend of mine post a message to my Facebook wall stating “I’ve just seen who STALKS me here on Facebook. You can see who stalks you too!” A link was provided to a website other than facebook.

I wanted to delete the post and report it if necessary as SPAM or choose the Report as Abuse option upon deleting, but didn’t know enough about the legitimacy of the posting.

I first went to my friend’s wall to see if their account had been hijacked and discovered a similar post on their wall, with a different URL. My friend had seemingly posted to his own wall, “I just saw who checks me out the most here on Facebook. You can see who creeps around your profile too!” Also on this person’s wall, a friend of theirs wrote, “I’ve just seen who CREEPS around my pics the most here on Facebook. You can see who stalks you too!” Again, a different URL was provide.

It soon became clear to me that this is an automated hack of the Facebook system that spreads like wildfire as it encourages people to follow these rogue links and then unwittingly provide their Facebook login and password.

In general, it’s important to be leery of postings to your wall that seem automated. Always do a little research to ensure the legitimacy of such things.

I returned to my wall to remove the post and mark it as abuse, but it had already been removed. I’m guessing Facebook has implemented the equivalent of a virus scanning program for social networks that identifies and removes malicious postings.

Further Reading. After some further research, I found this helpful group page on Facebook that confirms the danger of these fake postings:

The creator of the above group has expressed an interest in spreading the message about these scams, so below is the full content of what’s posted on the above group page.

After seeing a lot of my friends adding applications and joining groups that promise to reveal who visits their profile pages and how often, and then seeing that thousands of other people buy into these things as well, I decided this group was necessary to explain why these trackers can’t exist and are just spam.

Before diving into the technical side of the issue, there are some pretty easy ways to tell that a group promising a profile tracker, or anything else that Facebook does not give you, like a dislike button, probably doesn’t do what it promises, or at least makes you do more than you need to. One group I saw claimed that in order for the creator’s profile tracker to work, you first have to join the group, invite at least 200 friends to join the group, and add the creator as a friend in order for anything to happen. Then, you are promised that an e-mail will be sent to you with a link that gives you instructions on how to use the supposed tracker. What made it more suspicious was that no one was allowed to post to the group’s wall or create a group discussion, meaning if people figured out they were being tricked, there was no way of letting other people in the group knowing about it.

Groups that require you to do things like the one mentioned above are simply SPAM. There is no way the creator of the group can track how many people you invite to their group and how many of them actually join, and there is no way they can set it up so that an e-mail is automatically sent to you once you do so. The only reason why they require you to join the group and then invite 200 other people is to get as many people to join the group as possible. They just want to see how many people they can trick into joining. Likewise, the requirement to add them as a friend is because they’re one of those people that thinks having thousands of Facebook friends they’ve never met in real life makes them cool or popular or something. They just want attention.

However, tricking people into joining the group, inviting their friends, and adding the creator of the group doesn’t necessarily mean the thing they’re promising doesn’t work. It could be that it really does work, they just want to get something out of it. However, this simply is not the case with the profile tracker.

There are only a few ways a profile tracker could actually work, and to my knowledge, the methods either don’t work or have been prevented from working by Facebook. An example of a method that didn’t work was the Trakzor application. The app could tell you who viewed your profile, but only if the other person also had the Trakzor application installed. Therefore, the only way it could be useful in any way is if lots of people added it, which didn’t happen. Besides, if it only works if both people have it installed, that means that if you add it, then other people with it can see when YOU visit THEIR profiles. Knowing that, why would anyone add it? I recently tried searching for it to see if anyone still used it, but it didn’t show up in the search results. I’m guessing the creator abandoned it or it was removed by Facebook.

The other two ways (that I know) of tracking profile views both use a method called Cross-Site Scripting, or XSS for short. This involves embedding JavaScript into your profile page, so that any time someone views your page, the JavaScript can read the information that Facebook has stored on that person’s browser (inside something called a “cookie”) and then give that information to a different website that can then process the information. Cookies generally contain some way of identifying a user, so if you were able to embed JavaScript into your profile page that could read the contents of another person’s cookie, it’s possible you could use that information to identify whoever is viewing your page.

The first of the two ways of using XSS to read cookies and figure out who’s checking out your profile is to embed the JavaScript into your profile yourself, if you know how to do it (it isn’t difficult, and it can be done without the user knowing what hit them). According to the Wikipedia article “Criticism of Facebook,” a user embedded JavaScript into the Hometown field of their profile back in March of 2006, which easily could have been used to track profile views. However, Facebook fixed this problem, and JavaScript cannot be embedded in this way.

That leaves the second way it can be done, which is by having an application do it for you by having embedded JavaScript in an application box on your profile. In July 2007, Adrienne Felt discovered a hole in Facebook security that allowed this. However, Facebook found out and the bug was fixed, meaning applications can no longer do this.

Considering that these methods do not work, I have a hard time believing that anything could since I don’t know of any other way to do it. However, I certainly don’t know everything, which brings me to my last point, Facebook’s Developer Principles and Policies.

In Facebook’s Developer Principles and Policies (DPP), it specifically states that developers are not allowed to make applications that track profile views: “You must not track visits to a user’s profile, or estimate the number of such visits, whether aggregated anonymously or identified individually” (DPP II.5b). This means any applications that promise tracking profile views are in direct violation of Facebook’s policies.

So what does that mean for such an application? A slap on the wrist? Not quite. According to DPP XII.6, Facebook reserves the right to remove applications that violate its policies.

So basically, most of these applications and groups that promise you things like profile view trackers are really just spam that try to trick as many people as possible. However, as mentioned above, some people have succeeded in doing things that could track page views, but Facebook promptly fixed those bugs. Despite those fixes, there is still the potential of someone finding a new bug and exploiting it in a way that allows a profile tracker to work. However, as we’ve seen, Facebook has been good about fixing security holes like this quickly and reserves the right to remove applications that violate their policies. Considering the fact that the policies explicitly mention that profile trackers are not allowed, it wouldn’t surprise me if they had people monitoring applications and making sure none of them could do what they say they can.

So, even if you find a profile tracker that doesn’t seem like spam and somehow gets around Facebook’s security and actually works, there is no way Facebook will allow it to stick around, so it really isn’t worth bothering at all, it’s a complete waste of time. In the future, if you see anything promising a profile tracker or something similar, ignore it, it either doesn’t work or won’t for much longer.

You can view the Facebook’s Developer policies here:
http://developers.facebook.com/policy/

Another way of potentially tracking who visits your profile is through Google Analytics, which can give you all kinds of information about who visits different websites, where they come from to get there, etc. However, in order for Analytics to work, you have to embed JavaScript in your profile, which Facebook does not allow, as mentioned in this group’s description. So, if you come across anything that claims it can track who views your profile through Analytics, you know they’re lying.

There’s an application out there called Stalker Check or Fan Check or something. That application is legitimate, but it DOES NOT keep track of how many times people VISIT your profile, it makes it’s rankings of who ‘stalks’ you by counting up how many times they post on your wall or comment on your status or photos. There’s no way for Stalker Check to keep track of profile views for the same reasons mentioned in the Group Description.

Also, if for some reason you feel the urge to try out something that claims it can actually track people who visit your profile, DO NOT give them your profile information if they ask for it. I’ve heard of people doing this and then having their profile taken over and used to spam their friends. One person even got signed up for a whole bunch of stuff because of this since they had their phone number on their profile.

I was recently told that another way of implementing a profile tracker is by exploiting a hole in Flash scripting, which apparently some applications were able to do. As I said in the group description, I don’t know everything, and the fact that I didn’t know Flash could be used to do something like this is proof of that. However, the security holes that allowed applications using Flash to track profile views have been patched up and can no longer be used to do that. As I said in the description, even if you hear of new things that come along and exploit some new security hole not yet secured by Facebook, since Facebook is committed to preventing people from tracking profile views, they will patch up the holes that new applications exploit, as they have done in the past. Again, signing up for these trackers is a waste of time. Either they don’t work, or won’t for long.

================================

I would appreciate it if you could invite other people or at least show them my explanations for why profile trackers do not work. I don’t care if they join the group, I just want people to know about these things so people stop getting tricked and scammed. Joining the group would probably make it easier for more people to see this, but as long as the word gets out that these things are scams, I could care less.

By Greg Johnson

Greg Johnson is a freelance writer in Iowa City and also the founder and Director of the ResourcesForLife.com website. He also manages IowaCityWebDesignArtist.com and many other topic specific websites. Learn more at AboutGregJohnson.com