Hoaxes

SCAM ALERT (Facebook virus): This poor girl committed suicide

Categories: Hoaxes, Technology: Tags: , , ,

Update: As of 2:33am Melbourne time, the situation is contained. Facebook have removed the problematic page. Password changes are still recommended for the 11K people effected… if you visited the page I suggest changing your Facebook password as a precaution.

The information below is now only for the record. I have removed certain information to help prevent the spread of the problematic code.


We have a new Facebook scam / virus, it’s a page titled “This poor girl committed suicide after her father posted this on her wall”

If you have this showing up on your wall removal instructions are below. Please note that this page may pose a risk that can compromise your account.

How the scam works – non technical

There is a facebook page “This poor girl committed suicide after her father posted this on her wall” on the page is a popup that says “Security Check” and asks you to confirm you are over 18. When you click confirm three things happen…

1) The page makes it so you like the page

2) The page posts itself as a link to your wall

3) The page posts itself as a link to your wall again

Your friends will now wonder why you like this page, and click on it. This is how it spread.

Additional note: If the page doesn’t trigger the above action automatically there is a message below the “security box” telling you “Sometimes, nothing happens when you press Confirm. If that is the case, press the “Message Here” tab again.”

As far as you go, we’re not done yet. You now have a new screen. It pops up with a second post, again saying “security alert”, but this time saying it is checking if you are human. It asked you to click buttons in a certain order then press submit to prove you are human.

Now you get a choice of surveys to complete, if you choose one it will take you to an external site in a new window. The Facebook window will sit there checking if you have completed the survey yet.

This is the point of the scam / virus, the person who coded this is using a survey for cash program and collecting revenue either for your work or as the referrer. (At this point we stopped caring to analyse this further).

You can remove the scam using the steps below, technical information about this scam is being written up right now and will be here within 30 minutes.

In pictures

You’ll probably need to click to enlarge these images and make them readable.

First it asks you to confirm your age.

Next it asks you to prove you are human: (Oh, and right clicking is, it says, “disabled by Facebook”)

Step 3 is where it asks you to choose a survey

Step 4, it opens a new window to show you your survey:

Mean time, the Facebook window sits there waiting for you to finish the survey:

Step 5: This is not really part of the scam, but trying to close the survey will cause some issues… the first few are popups. Don’t click any buttons on these, just press the escape key on the top left hand corner of your keyboard to get rid of them.

While these popups are distracting you, the site loads a new page:

Finally it closes!

Spread details:

Currently spreading at a rate of 1 person every six seconds. The limiting factors seems to be the server they are hosting it on… it can’t handle the load very well. This could be cause all their images are hosted on the server. They tried hosting them at image shack but the images were quickly removed (probably flagged due to bandwith skyrocketing which triggered an automatic response).

6458 8:59pm Melbourne, Australia time.

6473 9:00pm Melbourne, Australia time.Increase by 15 per minute.

6483 9:01pm Melbourne, Australia time. Increase by 10 per minute.

6493 9:02pm Melbourne, Australia time. Increase by 10 per minute.

6600 9:12pm Melbourne, Australia time. Increase by 10.7 per minute.

7510 10:25  Melbourne, Australia time. Increase by 910, 12.5 per minute.

8070 11:01  Melbourne, Australia time. Increase by 560, 15.6 per minute.

9835 11:50 Melbourne, Australia time. Increase by 775, 15.8 per minute.

10425 1:29 Melbourne, Australia time. Increase by 590, 6.0 per minute. A significant drop in the rate of spread.

10568 1:39 Melbourne, Australia time. Increase by 143, 14.3 per minute.

10817 1:52 Melbourne, Australia time. Increase by 249, 19.2 per minute.

11150 2:16 Melbourne, Australia time. Increase by 333, 13.9 per minute.

0 2:33 Melbourne, Australia time. Facebook disables the page. The “likes” have therefore vanished from everyone’s walls.

Technical Information

Firmly, the popup in step 1 above is not a popup, it is simply an image. Clicking it makes a call to a Facebook application, Application ID: 4949752878 more on that below.

The application is hosted on a server leadhoster.com and this domain is registered to a private (unpublished) owner. The registration is done by a German company  AttractSoft GmbH. Their abuse e-mail address is abuse@attractsoft.com.

The application uses at least two sub-hosts on the server. The code is in PhP. The first set of code is like.php this is what adds the application to your wall, twice, and make you “like” it. Is this triggered by step 1. Once it has run it takes you to step 2, hosted on another sub-domain.

Step 2.  This, for me, was on a second sub-domain it runs the blind.php file. This file stops right clicking and gives you the second pop up, when clicked it loads <a href=”http://www.cpalead.com”>http://www.cpalead.com</a> this is a site that provides surveys which generate cash for the person who gets you to fill them out. IT is designed to help content owners generate cash from people wanting to view their site.  In this case the application is using it (for http://www.cpalead.com publisher id 114295) to get Facebook users to fill out surveys so the owner can get cash. This is the pay load from the application.

It’s not harmful, but it is illegal. It falls into the category of acquiring a financial advantage by deception. It’s also a scam that is misusing the Facebook API to spread like a virus. It will therefore be against Facebook’s terms of use. Lets see how many people it gets before Facebook shuts it down.

The major technical limiting factor on this applications seems to be that their server can’t handle a very high load.

The Facebook Application

I should note there is also an event, which lists this application in it’s name, which is running from Monday, March 7, 2011 · 3:30am – 6:30am. The event created by ?EVVAL YASEM?N YÜRÜK VE EREN BAKICI which is actually another Facebook page. This page has only 213 fans and is apparently based in ?stanbul, Turkey.

Security alter

My facebook account password seems to have changed shortly after posting this… luckily I was logged in to tweet deck at the time, and as soon as it couldn’t login to facebook alarm bells went off. I immediately reset it and verified by phone.

Removal instructions:

1) Go to the page at http://www.facebook.com/pages/This-poor-girl-committed-suicide-after-her-dad-posted-this-on-her-wall/152552574785485?v=wall&ref=mf and click “unlike” on the left hand side

2) Go to your wall and hover over the two posts about this scam, now click the remove button

3) Go to the wall of who ever posted this (where you clicked it) and tell them to follow these instructions

4) reset your facebook password and any other accounts that use the same password – just to be safe.

All done

This page was created by CIE’s director, Dr Andre Oboler. Dr Oboler is is a social media expert and holds a Ph.D. in computer science from Lancaster University, UK and in 2007-2008 was a Post-Doctoral Fellow in Political Science at Bar-Ilan University, Israel. He is a former Legacy Heritage Fellow at NGO Monitor in Jerusalem, and edits www.ZionismOnTheWeb.org – a website countering on-line hate. His personal site, including details of publications, is at www.Oboler.com.

CIE’s most recent social activism project was Meet Gilad, why not check it out while you are here?

Post to Twitter Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Post to Reddit Post to Slashdot Post to StumbleUpon Post to Technorati

, , ,

Jew Watch Petition

Categories: Antisemitism, Hoaxes: Tags: , ,

This hoax takes the form of an e-mail claiming YouTube will remove the antisemitic website Jew Watch from their search results the e-mail reaches 50,000 people. Some versions link to an online petition against Jew Watch.

What the hoax aims to achieve

This hoax was once legitimate, but that was back in 2004. Google responded saying it didn’t matter how many signatures were received they would not change their results. The petition today has 625,000 signatures. More background is below.

The Impact of this hoax

Each time this e-mail circulates it causes people to discuss JewWatch and they often link to it. This is one of the factors that make JewWatch a top search result.

What to do about it

Do not pass the e-mail on. Alert those who sent it to you that it is a hoax and direct them to this page. Do not link to Jew Watch while discussing this problem online. Each link exacerbates the problem.

If you want to provide a link on the text Jew Watch, link it to a site about the problem e.g. http://www.zionismontheweb.org/antizionism/jewwatch.htm or ttp://en.wikipedia.org/wiki/Jew_Watch.

Further Background

Jewwatch.com is an antisemitic website containing numerous articles on alleged “Jewish conspiracies”, “Jewish controlled press” and “Jewish Mind Control Mechanisms”. It ranks on the first page of a Google search for the word “Jew”.

Steven Weinstock, a real-estate investor from New York and former Yeshiva student started an online petition which requests that Google remove the website from its search results. The petition stated that if 50,000 signatures were obtained, Google would agree to remove the website from its search listings. Google have stated clearly that they “do not remove a page from  search results simply because its content is unpopular or because [they] receive complaints concerning it”.

The search engine uses a complex computer algorithm that take into account many factors to calculate a page’s rank. While it is unfortunate that the term “Jew” produced a website such as Jew Watch, it is not intentional on the part of Google. A detailed explanation on this issue is provided by Google at: www.google.com/explanation.

Please be advised that this petition is a hoax and Google will not remove the website based on the number of signatures obtained on this online petition. Adding your name will not have any effect on the search results or listing of anti-semitic websites in the Google registry.

Post to Twitter Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Post to Reddit Post to Slashdot Post to StumbleUpon Post to Technorati

, ,

Youtube want to remove this video!

Categories: Hoaxes, Public Diplomacy: Tags: , ,

This hoax takes the form of an e-mail claiming readers must visit a specific YouTube video and send forward the e-mail telling them to do this to all their contacts.

The e-mails typically claim “YouTube wants to remove this video by using the excuse that not too many people are logging in”. There are a number of videos to which this hoax is attached.

What this hoax aims to achieve

The goal in this case may be legitimate, however the approach is problematic. Those initiating the e-mail want to increase the viewership of a video with an important message. This not only means more people see the message, but by increasing the viewership they make it more popular in YouTube, eventually perhaps getting it to the front page or to the top of various search results.

The problem is that YouTube does not remove videos due to “lack of views” or because “not enough people are logging in”. This misinformation about the way YouTube works is dangerous as it detracts from legitimate messages. If people are simply asked to help promote the video, the same goal can be achieved without the false panic.

What to do about it

Do not forward this hoax on to others. Reply to the person who sent it to you and direct them to this page.

In general check out our hoax archive or simply google a key phrase from the suspect e-mail. If it is a hoax, chances are someone will have written about it.


Post to Twitter Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Post to Reddit Post to Slashdot Post to StumbleUpon Post to Technorati

, ,

Vote Israel Vs. Palestine

Categories: Hoaxes, Public Diplomacy: Tags: , , ,

This hoax takes the form of an e-mail claiming CNN is hosting an online poll on whether readers support Israel or Palestine. The poll is not at the CNN site but rather at israel-vs-palestine dot com. This is a hoax and has no relationship with CNN or another other reputable news media.

What does it aim to achieve?

The people running this site get advertising revenue each time people visit the page. This is due to “impressions” on their advertes. An impression occurs each time a new person looks at the page.

What to do about it

Do not forward this hoax on to others. Reply to the person who sent it to you and direct them to this page.

In general check out our hoax archive or simply google a key phrase from the suspect e-mail. If it is a hoax, chances are someone will have written about it.


Post to Twitter Post to Yahoo Buzz Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Post to Reddit Post to Slashdot Post to StumbleUpon Post to Technorati

, , ,