Facebook Scams Actively using Open Graph protocol
The Graph API presents a simple, consistent view of the Facebook social graph, uniformly representing objects in the graph (e.g., people, photos, events, and pages) and the connections between them (e.g., friend relationships, shared content, and photo tags). Every object in the social graph has a unique ID. You can access the properties of an object by requesting.
For example, profile picture can be accessed using the graph API in the following manner:
Profile pictures: http://graph.facebook.com/jack.jill.7906932/picture
Similarly, by directly calling the graph protocol for any profile, we can access the information of any user.
Visiting the above mentioned URL reveals the following information:
"name": "Jack Jill",
The same URL pattern works for all objects in the graph:
- People: http://graph.facebook.com/jack.jill.7906932/picture
- Events: http://graph.facebook.com/331218348435/picture
- Groups: http://graph.facebook.com/69048030774/picture
- Pages: http://graph.facebook.com/DoloresPark/picture
- Applications: http://graph.facebook.com/2318966938/picture
Scammers are actively using the Graph API to make their scams look more realistic. For example, one of the most actively flowing scam on Facebook is “Who is viewing your profile.”
On viewing the source of the scam we can figure out that it is using an array to store different graph API URLs that consists of profile pictures. The only restriction that is imposed while loading these URLs is that we shall have an active facebook session to call these URLs.
Further the scam uses a randomization script to select different URLs from the array and display it on the scam page.
var i = Math.floor(10*Math.random());
;document.write('<img src="' + img_rnd[i] + '" alt="" />');
The scam further uses affiliate networks and asks the users to fill fake scams before they can proceed with the application. Scams using Open graph protocol are not new, but they have not vanished either.