How many times have we all seen comments like this on a Facebook status update: “Not like, but dislike,” or “I’d press Dislike if there was a button.” It’s a common complaint about the social networking site’s comment options; one can press the “Like” button to give a thumbs-up to a friend’s post, but there is no analogous “Dislike” button.
Now, enterprising scammers have taken advantage of that desire and built a Facebook app that not only lures users with the prospect of adding a Dislike button, but also gleans personal information and even uses a fake survey to add a US$5-per-month surcharge to unsuspecting users’ mobile phone bills.
The app eventually links to the apparently innocuous and legitimate Firefox add-on Dislike button distributed by FaceMod. For its part, FaceMod says that it has no part of the survey or mobile phone surcharge scam.
Charging for Free Add-On
The app, one of the many termed “rogue” by the security community, uses the temptation of exclusive or eye-popping content to trick Facebook users into permitting access to their profile data. It then posts a spam status update to the user’s page advertising the scam, with this wording: “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!”
Before that post appears, though, users are asked to fill out a marketing survey with seemingly legitimate questions, such as what they like to do for fun. They then are given the opportunity to provide a mobile phone number. If they don’t read the very fine print, they are then slapped with that $5 charge per month for the app.
Many don’t know that the FaceMod Dislike button app actually is available for free through the Mozilla add-on tool.
Who’s at Fault?
The question for many is what Facebook chooses to do when such scams take the viral route through its user community — and why. A post to the Facebook Security page states, “beware of the fake Facebook ‘dislike’ button. As always, we advise you not to click on suspicious links on Facebook.”
Of course, it can be difficult to determine what exactly is a suspicious link when experts at malicious social engineering go to great lengths to make such links appear to be on the up-and-up.
“Facebook’s primary concern has not been protecting users,” Jennifer Golbeck, assistant professor of information studies at the University of Maryland, told TechNewsWorld.
While people who venture onto social networking sites need to be more aware of privacy issues and how to monitor who has access to their information, she noted, it can be very difficult in the context of a site such as Facebook that itself changes privacy settings frequently.
For example, the recent switch to the “Like” button for groups, versus joining a particular group, exposed a great deal of information about people’s personal interests by displaying those groups on a person’s “Like” list automatically, she pointed out.
However, Facebook may be doing the best it can without creating a bottleneck in app development, Beth Jones, senior security analyst with Sophos, told TechNewsWorld.
“In my opinion, it seems a bit of a no-win situation for Facebook,” Jones explained. “If they started checking every application’s code, they would get extremely bogged down, and they would lose their competitive edge. Apps would be very slow to roll out, and users would get frustrated and leave.”
We Have the Technology
Still, Facebook does have — and always has had — the ability to block third-party applications from its site. It takes a strong stand against some particularly egregious efforts to glean information, such as the data torrent that security consultant Ron Bowes aggregated from Facebook profiles recently.
“Though I’m not an engineer, I can imagine the site can guard against large-scale efforts to capture user data,” Greg Sterling, founder and principal of Sterling Market Intelligence, told TechNewsWorld.
In fact, Facebook published very specific policies for app developers earlier this year. Its “Developer Principles and Policies” document was modified in March to specifically restrict apps from publishing a story to a user’s Feed without that user’s explicit consent, through a checkbox, that indicates that content will be shared.
The spam message that virally advertises the “Dislike” button appears to be in direct violation of Facebook’s app policies.