zveloBLOG™ - alerts, discussions, studies, articles, white papers about the latest malware, spam, phishing scams, and other Web threats researched or detected by zveloLABS™.


  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
Posted by on in Affiliate Marketing
  • Font size: Larger Smaller
  • Hits: 35077

Affiliate Marketers Plague Facebook with Spam

Online advertising spending in the U.S. is on the rise. In the first quarter of 2011 alone, companies that sold online advertising reportedly surpassed $7 billion in revenue.1 Unfortunately, social engineering scams on Facebook also continue to thrive.2 How are the two related? Unsolicited Facebook spam in the form of status updates is actively infiltrating the social networking giant and aimed at tricking users into visiting websites ridden with survey scams and pop-up advertising, as is the case in the following analysis of a real-world example. This trend will continue to degrade the credibility of the online advertising industry and could possibly taint the images of the brands that these spam campaigns are targeting.

The Spam Campaign
zveloLABS® first discovered the following spam campaign in May 2011. It is one of many social engineering variants aimed at tricking users into spamming their friends. The spam campaign spread virally via a standard status update to a user’s wall (image 1), which read:

Awesome! A new way to see your profile’s full stats. I just checked how many people have viewed my profile and how much time I spent on FB this month :). Scan your profile and let me know how popular YOU are.

Sample Facebook spam for article titled
Image 1: Spam (status update) posted to a user’s wall

As most users aren’t aware that scanning any profile is not possible within Facebook, they don’t perceive anything unusual or detect any risk. The link within the status update pushed users to a website with instructions on how to “see who has been stalking your profile” (image 2).

Image 2: Cross-site scripting code that drove this spam campaign

Users that processed the cross-site scripting code (described further below) would in turn transmit the spam update to the walls of their friends. Considering how common it is for Facebook users to have hundreds of friends at a time, many of whom permit unmoderated posts to their walls from just about anyone else, this quickly became a far-reaching spam campaign.

Image 3: Survey posing as the human verification method

Users were then prompted to verify they were human via a survey–the real goal of the campaign (image 3). Exiting the survey proved tedious and a slew of pop-up ads were served along the way. Users that did complete the survey were ultimately treated to their profile statistics, which were completely bogus.

What’s Really at Work Here?
There exists a security vulnerability known as cross-site scripting (XSS), which, unfortunately, is found in many web applications. Pasting the code found in step one into a web browser exploits this vulnerability. In this particular spam campaign, the code was more self-XSS driven; meaning users willingly ran the code on their own. It is a way for spammers to run client-side (on the user’s computer) code within web pages viewed by others.3 zveloLABS highlighted the specific Javascript snippet that automatically pushed the spam to a multitude of users’ walls in a matter of microseconds (image 3).

Image 4: Javascript that spread this spam campaign

How is Facebook Spam Possible?
This spam campaign was periodic in nature and its longevity was fueled by the carelessness of users in “looping” it many times over. Plus, the spam can proliferate from many sources. zveloLABS identified a few of them below:

  • Spam may originate from a fictitious profile. Facebook accounts are not difficult to set up. Anyone with an email address and the willingness to cough up some personal information can get started.

  • Hacked Facebook accounts, in which access to the said account was probably attained by simply exploiting weakly established passwords, are another possible source. Research has shown that a third of computer users govern one password across multiple websites4 and that two of the most popular passwords continue to be “123456” or “password.”5 Such idiosyncrasies do wonders for spam.

  • Spam campaigns may stem from fake app pages, possibly found by users searching for anything related to “stats” or “scan profile.”

  • The spam campaign could have flourished from a common hyperlink. In most cases all that users need is a link to follow. Links can be buried within a web page, the body of an email, an instant messenger conversation, a text message or other social networks. Online ads can also divert users to malicious websites.

  • Finally, no source would be complete without mentioning the hacking community. Scripts exist specifically written to perform and repeat spam campaigns of this nature. These scripts are cheap and fairly easy to obtain.

The source of Facebook spam is as convoluted as finding the actual individual or network of people responsible. One must then wonder about the relationship between the spammers and brands, if one exists at all.

The Spammer-to-Brand Relationship
It is difficult to gauge whether a direct relationship exists between spammers and the brands their campaigns are tied to. A hint resides in one the pop-up ads served during the survey process (image 5).

Image 5: One of many pop-up ads served during the survey process

The pop-up ad itself was harmless. Classes and Careers (aka One on One Marketing, LLC) is a legitimate company founded by “dedicated education researchers and reporters,” as stated on their website. The site is a lead-generation tool apparently tied to an affiliate marketing platform that connects advertisers (educational institutions) with online publishers6 (Classes and Careers). Hundreds of these platforms exist.

Leads generated may be sold to educational institutions big and small for up to a couple of hundred dollars each. Leads may also be funneled to more than one entity at a time, creating a recruitment war of sorts. Some affiliate marketers only make money if the prospective students they refer actually enroll. In the latter scenario the payouts may be less frequent but they can be worth thousands of dollars more.

Affiliate marketing is vast and extremely complex. As such, the image of Classes and Careers should not be held in negative regard based on this article alone. The classes of people that hack websites or breach networks are likely the same ones developing spam automation methods for unethical affiliate marketers to earn profits from.

How Facebook is Addressing Spam
Facebook has been busy developing methods to counter spam within their network. Users are now warned about running code from within the address bar of a web browser. Facebook also partnered with Web of Trust, whose community of users rate the trustworthiness of websites. Just a few hours before the publishing of this zveloBLOG™ article, Facebook disabled many third-party applications to boost the security of its app platform.7 Only time will tell how effective these security enhancements will be.


  1. Unknown Author. (May 26, 2011). Internet Advertising Revenues Hit $7.3 Billion in Q1 ’11. iab.net. Retrieved June 27, 2011 from http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-052611.

  2. Elinor Mills, Senior Writer, cnet. (May 16, 2011). Facebook, spammers are in 'arms race.' cnet News. Retrieved June 24, 2011 from http://news.cnet.com/8301-27080_3-20063434-245.html.

  3. Unknwon Author. (n.d.). Cross-site Scripting. Wikipedia. Retrieved June 24, 2011 from http://en.wikipedia.org/wiki/Cross-site_scripting.

  4. Graham Cluley, Senior Technology Consultant, Sophos. (March 10, 2009). Do you use the same password for every website? Naked Security. Retrieved June 23, 2011 from http://nakedsecurity.sophos.com/2009/03/10/password-website/.

  5. Rick Broida, Contributing Technology Writer, BNET. (January 22, 1010). WTF: Millions Still Using '123456' as Their Password. BNET. Retrieved June 23, 2011 from http://www.bnet.com/blog/businesstips/wtf-millions-still-using-123456-as-their-password/6179.

  6. Unknown Author. (n.d.). Classesandcareers.com. Affiliate Scout. Retrieved June 23, 2011 from http://www.affiliatescout.com/classesandcareers.com.html.

  7. Unknown Author. (May 12, 2011). Keeping You Safe from Scams and Spam. Facebook Security. Retrieved June 27, 2011 from http://www.facebook.com/notes/facebook-security/keeping-you-safe-from-scams-and-spam/10150174826745766.
Trackback URL for this blog entry.
  • UFC 169

    Posted by Hurricane on 24 Aug 2012
    Lance Armstrong ...
  • education in america

    Posted by education city on 23 Aug 2012
    educational games ...
  • college board

    Posted by college search on 22 Aug 2012
    college finder ...
  • business help

    Posted by business cards on 21 Aug 2012
    international business news ...
  • education information

    Posted by education today on 20 Aug 2012
    education problems ...
  • Destiny Bosa

    Posted by Jazmin Mamon on 10 Aug 2012
    Rupert Joyce ...

As zvelo's Web Media Manager, Armando Carrillo, Jr. oversees the company's website, zveloBLOG™, social media channels and spearheads all marketing and creative content development initiatives. Armando works closely with the talented zveloLABS® engineers and zvelo's multi-lingual quality assurance Web Analysts to identify, to raise awareness about, and to spark open discussions on the latest types of web security threats and web usage trends as it relates to zvelo's technologies and service offerings for the OEM market.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 23 Apr 2014