14 DAY TRIAL // Scammers are managing to wreck havoc on Facebook by using a new trick to make malicious links appear as if they are part of the website's normal user interface.
One scam spotted by security researchers from Sophos preys on people's fears and asks them to verify their account in order to prevent receiving spam in the future.
"Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to the comment below to begin the verification process," the spam message reads.
Under the message, where the "Like", "Comment" and "Share" links are usually located, there's a link reading "==VERIFY MY ACCOUNT==" using the same styling as the legit ones.
Clicking on it executes code from an external domain which causes users to automatically repost the message on their walls.
"Assume that messages which ask you to verify your account by clicking on a link are false. You wouldn't (I hope) click on links in emails which claimed to come from your bank trying to panic you about your account.
"That would be a classic phishing scam using a false site to steal your username and password. So don't trust that sort of link on Facebook, either," advises Paul Ducklin, Sophos's head of technology for the Asia Pacific region.
However, not all scams employing this trick are this obvious. Another one uses offensive language in messages purporting to come from an app and presents users with a "Remove This App" link.
Facebook seems to have fixed the problem to some extent as the rogue links have disappeared from under the messages. It's not yet clear how the scammers managed to pull this off, but the attacks had the feel of an XSS worm.
The rogue code hosted on the external domain was copied and posted on github rather quickly for anyone to analyze. This might explain why more variants of the attack popped up later.