14 DAY TRIAL // Facebook scammers are trying to stay ahead of the social network's security measures by incorporating fast flux-like techniques into their attacks.
Security researchers from Symantec describe a recent variation of the "profile spy" scam, which lures users with promises of showing them their Facebook stalkers.
Scams adopting this theme have repeatedly reappeared during the past year under different names, suggesting that the lure is still quite successful.
However, unlike most attacks of this type, the spam messages don't advertise links to rogue Facebook apps, but compromised legit websites.
These sites are used as redirectors to the fake Facebook apps that trick users into giving them access to spam in their names.
"The target destination, in this case the URL of the malicious Facebook application, is chosen at random by the script from a pool of active links. This means that resolving the URL will result in a different Facebook application URL every time," notes Symantec's Candid Wueest.
"Similar to the fast flux services that we have seen used by botnets for a while, the number of destinations used are in the dozens, and it appears that they are being updated over time," he adds.
Fast flux normally refers to a DNS technique that involves records with very short TTL values being updated to respond to numerous IP addresses. This quick IP rotation allows attackers to make command and control servers more resilient to takedown attempts.
In this case, the scammers can keep their campaigns going for longer periods of time by constantly updating and switching the redirect sites and the rogue Facebook apps.
Of course, the purpose of these scams is to trick users into completing deceptive surveys that try to sign them up for premium rate mobiles services.
People affected by them should go to Account > Privacy Settings > Applications and Websites and remove the rogue apps. They should also clean their wall of spam messages.