Y-Cut in Red Light District

The writing

And then there was light! Now that the xxx Facebook scam tsunami’s over, the “self-XSS vulnerability” and the bunch of rascals having exploited it exposed, let’s see what we, the e-socialites at large, have learnt from this.

To do this, we’ll retrace the steps of a Lady Gaga-themed culprit that’s kept us all on our toes these days.

First off, the bait is cast:


One click takes you to the page where the promised movie is supposed to be found:


There follows a warning that’s bound to entice rather than to discourage the curious from continuing their quest:


There you have it! THE CODE. Ready to go. Here’s the takeout concept revisited for the virtual world.


And that’s where the coded magic happens. The tall, dark stranger you’ll be meeting here will leave some serious marks on your online social life. Basically, it will get hold of your list of Facebook friends and send them several variants of the Gaga scam. The code contains URL and text variables, which practically makes it capable of mixing things up as follows:

URL 1 + poor lady gaga lol.. nice video :D

URL 2 + check out lady gaga. haha!!text

URL 3 + omg did you see this lady gaga video?

I’m sure you won’t blame me for calling this scheme a mischief as even if you suspect that something is wrong and warn your friends about one of the variants above, the other two will still be allowed to roam free (you may argue that the messages are quite similar so that one warning might work for all three but…how many of your friends do you think will be so cautious as to dismiss all of those links. “This is a scam, but who’s to tell the other one’s not the real thing?”).

In general, in our social scam review we advise you to keep a close eye on what’s happening in your accounts so you can spot suspicious activity as soon as possible. Well, in this case, you’d have to be a true Hawk Eye or a psychic, as the code will send direct messages to your friends (as illustrated here below).


According to the logic of the platform, you will not be notified about these messages being sent in your name (why would you? You’re supposed to have hit the “send” button”).

On the other hand, the following notification will lead your friend on the road to perdition:


In other words, you won’t feel a thing until someone takes the time to hit you with the news: you’re spreading scams, man!

As these dramatic events happen in the background – this is where the code’s supposed to tell you to wait a bit so your request can be processed –you’ll be taken to THE SURVEY MAZE, from now on a.k.a. the place you don’t wanna be caught dead in.


Lessons of the day: to keep your Facebook account safe, you should never copy-paste any piece of code into your browser. Moreover, make sure you activate Tag Review in your Facebook Privacy Settings (Privacy Settings > How Tags Work > Tag Review > On), to avoid becoming the victim of tagjacking.

Don’t forget that Safego is there to help you and your friends stay away from trouble.

Stay safe and click wisely!

This article is based on the technical information provided courtesy of Tudor Florescu, BitDefender Online Threats Analyst and Andrei Serbanoiu, Bitdefender Analyst Programmer.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Ioana Jelea

Ioana Jelea has a disturbing (according to friendly reports) penchant for the dirty tricks of online socialization and for the pathologically mesmerizing news trivia. From gory, though sometimes fake, death reports to nip slips and other such blush-inducing accidents, her repertoire is an ever-expanding manifesto against any Victorian-like frame of thought that puts a strain on online creativity. She would like to keep things simple, but she never does.