Saturday, March 19, 2011

Don't click that link! (or: Staying safe on Facebook)

Almost every day I see people posting fraudulent spam links on Facebook. When clicked on, these links replicate themselves by posting a new link to the victim's wall, where more people will unsuspectingly see it and click on it. This morning, I saw one that was so convincingly authentic looking that I almost clicked it myself, and hesitated just at the last minute. These "clickjackers" or "likejackers" are getting clever, and it's not just the less technically savvy folks who are spreading their disease. So I thought I'd write up a quick guide on how to spot and clickjacking.

Remember, though, that the scammers are always refining their methods to make their hijacked links less detectable, so this is only a general set of guidelines. If you're not sure, don't click. It's not worth it to see that "video of a whale smashing into a building in Japan! OMG!!1!" if it ends up spamming all over your friends' walls. So here's what to look for.

Check the URL 

For most posted links, Facebook generates a line of text below the link's title, indicating the home domain of that link. Before clicking, take a look at that information and see if you recognize the site; if it's YouTube, or a news site you're familiar with, you're probably safe.

But it's possible that the URL info generated could be deceptive; perhaps it's misspelled by one letter, or maybe it's just fake. 

Another, more accurate way to check is this: just hover your mouse over the link without clicking. Now look in your browser's lower left corner, and you'll see the URL to which you will be sent if you do click. You'll want to evaluate that URL for scammy potential. Look for: 

Linking to a non-US domain or one that does not end in ".com"
Many clickjackers use foreign domains (like .pl or .ru) or one of the newer generic top-level domains (like .biz or .info). If the link leads to one of these be extremely careful before clicking.

A very long url
Scammers can disguise a suspicious URL by making it so long that the incriminating domain information is lost or difficult to see in your browser. If you see a link that's very long and has a garbled string of random characters, it's probably not a safe place to click. Sometimes the hijacker will embed a red herring near the beginning of the URL, but the domain to which you will actually be directed is at the very end (possibly out of sight of your browser window).

Using a URL shortener
It's very common for malicious links to be shortened with one of the popular link shorteners like TinyURL, or Shorteners allow the scammer to send you to any link at all without giving away your final destination, and while URLs from link shorteners can be perfectly legitimate, they should always raise a red flag that prompts you to take a second look.

A different link than indicated on the post

If the post promises to send you to "" but the URL shown in your browser's URL preview is to "" you know something is amiss. Don't click.

It's a good practice to make a habit of checking unfamiliar URLs in the browser no matter where you are online.

However, there are malicious Facebook apps that will also re-post unwanted articles to your wall, so if you see a link to "" don't immediately think it's ok to click. There are a lot of scammy Facebook apps and it's up to you to avoid them. You'll want to take these extra precautions:

Consider the source

WTF Gramma?
Did your sweet grandmother post a link to a video titled "OMG you won't BELIEVE what this girl did with her DOG!!"? You might want to take a second look before clicking on it. Clickjackers rely on two things: your inherent trust of your friends and family to share things you will find interesting and your undying curiosity to see salacious or controversial material.
If you use a little common sense, you can spot this kind of unlikely link coming from someone who doesn't usually post material like this. You should definitely warn the friend or family member who posted the link, as soon as you see it, so that they can remove it before more people make that fatal click.

Hot Chicks Want to Meet YOU!
Another thing scammers will do is appeal to your desires; they'll post links to sites that promise free gadgets, amazing weightloss plans, the ability to see who has viewed your profile, supposed messages from attractive people, and that sort of thing. Once you see a few of these, it's easy to spot them. If you're aware that you're NEVER going to get a free iPad just by filling out a couple of quick surveys, you'll think twice before following a link that promises such goodies. The word "free," especially written in all capital letters, never leads to anything good on the internet. You can trust me on this.

Everyone's doing it
Did several of your friends post the same suspicious link? Odds are that they have fallen victim to one mutual friend's poorly-timed click. It's best to investigate further before clicking this too-popular link.

Suspicious activity
Many evil sites will ask you to "re log-in" to Facebook. This is a pretty transparent attempt to capture your log-in information. I don't think I need to emphasize that you should never re-enter your Facebook password unless you know you are at

Another thing they'll do is tease you with the video or photo you were promised in the wall post, and then ask you to click a second link, or take a survey, or allow them to access your Facebook information, before you can see the material. Do not click that link! If you do, close the window and immediately start damage control, as described below.

If you DO click

Even if you're alert to the possibility of being clickjacked, it's always possible that you'll accidentally hit a spammy link. If this happens, know the signs and act fast. If the link takes you not to that fascinating video but instead to a site that wants you to "allow" it to have access to your Facebook profile, close that window and go back to your own wall to verify that nothing was posted without your knowledge.

Same thing if it takes you to a site that asks you to "click here" for any reason; scammers will disguise a "like" as a simple "click here," making it appear to your friends that you "liked" (and thus re-posted) the link to their video. Again, if you accidentally make that second click and are taken to a page that doesn't contain the promised video or site, close the window and go immediately to your Facebook wall to make sure nothing was posted.

Then, take a moment and visit your application settings in Facebook. To get there, go to the "Account" drop-down menu in the upper right and click on "Privacy settings." 

Then, in the lower left, look for the link to "Apps and Websites." Click on "Edit your settings." 

Then click on the "Edit settings" button in the "Apps you use" section (yes, Facebook makes you click and click and click yet again to change the most important settings). 

The list that comes up will show all of the apps you've allowed to access your Facebook information. They should all look familiar. Check the top ones; they are the newest. If you see anything suspicious, click the "X" to remove it.

Additionally, if the malicious link did post to your wall, post a notice to your friends at once, telling them that you didn't post intentionally. If you'd like to include a link to this article to help them deal with their own possible linkjacking, that would be fine.

So remember: check that URL, consider who is posting it, think about what the link is telling you, and if you're infected, clean up right away. And if you had your heart set on seeing that video about the whale hitting the building in Japan, just look it up in Google. You might find that it's not what you think.

No comments: