How To Hijack Facebook Likes, and Other Social Engineering

The Pinterest Giveaway Scam got pretty big today; at one point about 10% of Pinterest homepage pins were scam pins. In addition to the Starbucks offer, I counted at least three others -- for H&M, iPhone (of course), and GAP.

What fascinates me about the scam is the authors' crafty use of recognizable social media symbols to create an illusion of authenticity, and -- more importantly -- an illusion of endorsement. In other words, exploitation of cognitive biases, also known as social engineering.

Let's take a closer look at the "Starbucks" page (now available at but likely not for long). What do we see?

1. Pinterest's favicon, hotlinked directly from Pinterest's servers.  Other variations of the scam used Facebook's favicon.

2. A countdown of "packages remaining".  The counter resets at a random number lower than 500 (probably between 200 and 500) at the first page load, and then counts down to zero.

3. Fake "Pin It" button with a fake pin count set at 39K. The "counter" is a static gif, shared by the four different scams.

4. Hidden "pinnable" images. If you use the official Pinterest button on the scam page, it will tell you it can't find images or videos that are large enough to be pinned.  When you push the fake "Pin it" 39K button on the page, the more advanced variations of the scam would serve a randomly selected image and serve it up together with with a randomly selected page URL to appear in the pin description. Here's one such image from the iPhone/iPad scam site (

You'll see how all these images are hotlinks from Pinterest -- they are actual but unrelated pins by the site's users.  For example, one of the sources is this pin from a year ago, a picture which in turn was pinned from Apple's site.

5. Friends' endorsements.
At first, I was puzzled by the pictures of my eleven friends who, it seems, all have liked this site. My first guess was they all got somehow tricked into clicking the Like button during one of the later steps of the scam funnel. I asked a couple of them to go through their recent Like history, and none of them could find a record of "liking" anything related or even remember seeing the scam in the first place.

Look closer at the source code:

These pictures are displayed through a Facebook widget called Facepile, and what these pictures show are the faces of my friends who liked Facebook's own page and not the scam site (all four scam sites I saw used the same widget and showed me the pictures of the same eleven friends.)  The trick is not immediately obvious because each time you load the page the widget shows a different set of three names and a random sequence of userpics.  

Here, let me try to embed the same Facepile widget into this blog post:

If you are logged into Facebook, you should see pictures of your friends who liked this. What "this" means is left to reader's imagination.

In other words, anyone can grab a list of someone's friends who liked, for example, and use it to fake their endorsement of an unrelated site.

Oh, and the author behind at least one of the scam sites is open to employment offers, with his email address tucked into the source code:

Update (March 6, 2012) Most of the scam pages have been taken down, but here's the source code of one of them:

No comments:

Post a Comment

I am moderating all comments to weed out spam (there's a lot of it). Comments are usually approved within a day.

Related Posts with Thumbnails