Social Networks

Simply the Best

Will CAPTCHA-based scams ever die?

The history of Facebook scams reveals a trial and error cycle behind each new mechanism devised to test users’ gullibility. Once upon a (not so very distant) time, scams would use Facebook apps to advertise themselves on the victim’s Wall. The “install this wonderful app” technique is now obsolete as fake browser add-ons/extensions or various updates grab the baton in the scam relay race. As expected, users developed a “nose” for these tricks, so scammers had to find another way to hit the bull’s eye. That’s where Facebook Events with a hidden agenda stepped in: getting people to attend and click the malicious links planted on the Event page. As Facebook comes up with security measures to deal with these fake Events, newer types of scam are being developed and will take the stage.

But what’s a rule without an exception? It was Leo (da Vinci, not di Caprio) who said “simplicity is the ultimate sophistication” and scammers couldn’t agree more. Just as the great Leo literally squared the circle with his Vitruvian man, some scammers are going about their business on the CAPTCHA square.

But let’s not get ahead of ourselves here.

First step: the bait.

Nothing special about it, it’s just something that can be used all year-long and should draw attention immediately.

One click, and there goes the CAPTCHA trap. Let’s try to dismantle it:

1. Check out the highlighted url at the top of the screenshot.  ‘fb_comment’ is quite a strange element to be found in the url argument. What has that to do with a CAPTCHA?

2. CAPTCHAs are usually made up of 2 words that the user must recognize. While one is pretty clear, the other should be more difficult (though not impossible) to decipher, to avoid automated recognition. In the example above, both words are crystal clear. They are designed to be easily recognized so no user is stuck at this step.

3. A closer look at the ‘SUBMIT’ button will reveal that the word ‘Comment’ appears somewhere in the background.

As things have been made very easy for all potential victims, chances are that plenty of people will enter the ‘ha haha’ words in the text box and click ‘SUBMIT’ only to end up in a classic survey maze.

While the survey loads, a new post (advertising the scam) will also make its way to the user’s Facebook Wall/Profile as the fake CAPTCHA is, in fact, a Facebook comment dialogue in disguise. Isn’t that neat?

Less hassle for the creators of the scam sometimes translates into more users fooled!

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


With experience in detecting and analyzing online threats, Tudor Florescu is going one step further and writes about them, trying to explain computer threats to the average user. His background in Foreign Languages and Communication combined with a passion for the Web, doesn