Saturday, May 11, 2013

Facebook Spam via Tagging

More of these posts start showing up, usually you only know about this via email.

I've been getting a lot more of these spam messages lately, involving a friend (or friend of a friend) sending spam messages, and tagging others to improve spreadability. They're usually deleted within minutes after they show up, and due to its nature they appear to be automated. If that's the case it won't spread far, but there's a few things to get from it.

Stuff I do know about it: I know these messages exist because:

  • I get an email the minute I get tagged, even though I was untagged or the post was deleted. I concluded that it was deleted, because tag review notifications include posts which were deleted, and deleted posts technicially still exist on FB's servers, with the privacy setting of that post set so that no one can see it.
  • The email is legitimate.
  • Who gets tagged appears to be random (though I don't know for sure because I never actually saw the live message)
  • It would be quite hard to tag specific friends of friends because you need to type in at least their first name and need to start typing their last name in full.
  • If the tags include friends, it can spread quicker because in most cases people don't use Tag Review and therefore any tag from a friend will auto-appear on their wall and a newsfeed post will be made about it. (With Tag Review on, it occurs only if a comment or like is made on the post in question.) Just tagging anyone will automatically hit their tag review wall.
  • If it was automated you can apparently tag anyone in a status message... yet the official documentation for graph API for a status message doesn't say anything about tags.

I know there are some legitimate uses for tagging friends of friends (I usually do tags only if I am mentioning someone in a post that they can't normally see) but I feel like there are more ways for this feature to be abused. Although notifications that non-friends have tagged you can be turned off, it doesn't stop them from tagging you, so the activity log should be checked at regular intervals to ensure that people aren't associating you with... bad stuff.