The history of Facebook scams reveals a trial and error cycle behind each new mechanism devised to test users’ gullibility. Once upon a (not so very distant) time, scams would use Facebook apps to advertise themselves on the victim’s Wall. The â€œinstall this wonderful appâ€ technique is now obsolete as fake browser add-ons/extensions or various updates grab the baton in the scam relay race. As expected, users developed a â€œnoseâ€ for these tricks, so scammers had to find another way to hit the bullâ€™s eye. Thatâ€™s where Facebook Events with a hidden agenda stepped in: getting people to attend and click the malicious links planted on the Event page. As Facebook comes up with security measures to deal with these fake Events, newer types of scam are being developed and will take the stage.
But whatâ€™s a rule without an exception? It wasÂ Leo (da Vinci, not di Caprio)Â who said â€œsimplicity is the ultimate sophisticationâ€ and scammers couldnâ€™t agree more. Just as the great Leo literally squared the circle with his Vitruvian man, some scammers are going about their business on the CAPTCHA square.
But letâ€™s not get ahead of ourselves here.
First step: the bait.
Nothing special about it, itâ€™s just something that can be used all year-long and should draw attention immediately.
One click, and there goes the CAPTCHA trap. Letâ€™s try to dismantle it:
1. Check out the highlighted url at the top of the screenshot.Â ‘fb_comment’ is quite a strange element to be found in the url argument. What has that to do with a CAPTCHA?
2. CAPTCHAsÂ are usually made up of 2 words that the user must recognize. While one is pretty clear, the other should be more difficult (though not impossible) to decipher, to avoid automated recognition. In the example above, both words are crystal clear. They are designed to be easily recognized so no user is stuck at this step.
3. A closer look at the ‘SUBMIT’ button will reveal that the word ‘Comment’ appears somewhere in the background.
As things have been made very easy for all potential victims, chances are that plenty of people will enter the ‘ha haha’ words in the text box and click ‘SUBMIT’ only to end up in a classic survey maze.
While the survey loads, a new post (advertising the scam) will also make its way to the user’s Facebook Wall/Profile as the fake CAPTCHA is, in fact, a Facebook comment dialogue in disguise. Isn’t that neat?
Less hassle for the creators of the scam sometimes translates into more users fooled!
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.