Tagging me, tagging you/ Is there nothing we can do?

Here’s the story of a scam that won’t make you feel like a Dancing Queen. It might even make Fernando scream. ABBA….about what? Well, about scammers having figured out how to further refine their highjacking techniques. Remember our friends, the Likejacks? Now meet their photo-addict cousins: the Tagjacks.

First, we’ve got a post in which you were apparently tagged in a friend’s photo album, by that very friend.

Nothing fishy, so far, except for a couple of details. The thumbnail on display represents a sexy girl. What’s wrong with that? Well, you may remember that we’ve already warned you against accessing shared photos or movies that promise to reveal sensational/shocking content.

If that did not give you any doubts about the legitimacy of this app, then how about reading the (not so) small print next to the thumbnail: “wow this works>> now you can see who your top facebook profile stalkers are!”. Really, now! This is quite an old bait that’s been used and re-used a gazillion times.

But as our friend, 00.7, the world’s least-known secret agent once said: “Love your stalkers as you love thyself” (or something of the sort), let’s see what happens if you actually follow the link. Voila!

Strangely familiar, isn’t it? Next move? Click login. Just like the doctor ordered.

Ta-daaaaaaaaaaaaaaaam! Permissions. Only two, it’s true, but they’re more than enough. Access my basic info will allow the app to find out the user’s list of friends, whereas the Post to Wall permission will enable it to post messages AND photos to the user’s wall. How convenient!

 

Click Allow, and that’s where the fun ends.

It’s the nauseating maze of content unlocking tricks that never work.

So, what happens after all? You end up with a new addition to your gallery: the sexy girl’s photo. Plus all of your contacts will be tagged in that photo so that the scam gets better visibility. Let’s not forget about the messages posted to all of your friends’ walls (announcing that they’ve been tagged).

All of this will trigger a very interesting water ripple effect (as illustrated below):

FRIEND A (clicked the link) -> FRIEND B* (gets a post on the wall about being tagged, may or may not click the link) -> FRIEND C* (sees the post about B being tagged and has access to the bad link even if B does not click it)

*B is A’s friend and C is B’s friend

Extra viral effect, say you? Right you are!

As scammers are getting greedier and their arsenal relies more heavily on the social platform’s legitimate functions, you should be looking out for the slightest sign of trouble before installing an application. Some guidelines on how to tell a good app from a bad one, here.

Don’t forget that:

–          No legitimate app can tell you how many times your profile has been viewed, who your stalkers/peekers are, who spied on you on the social platform.

–          You should take a good look at the list of permissions an app requests.

–          Shared controversial photos/videos are very likely to hide all sorts of traps.

This article is based on the technical information provided courtesy of George Petre, BitDefender Threat Intelligence Team leader

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.