Facebook scams and dodgy ads – a grumpy old man’s perspective

I’ve just spent a happy hour dealing with a Facebook scam encountered by a family member on their business account. The process is depressing and has reinforced my personal antipathy towards Facebook. Let me explain …

Fake[?] Facebook warning message

The scam

The scam in question threatens to suspend your account if you don’t follow a link to confirm some account information. So far, so classic, and my scamtenna immediately screamed ignore the message. As a business user however the recipient was naturally worried that their account could disappear and they would be cut off from their “fan base”. Further investigation was necessary to reassure them that the message was false; call Google (or Siri if you prefer).

The message is definitely a scam with variations of it discussed on scam/hoax busting sites across the web so time to get Facebook involved. This proved to be impossible on the iPad, device of choice for couch surfing, even following the advice in the help centre. Hauling out a “proper” computer we were able to report the message as spam and hopefully it gets attention because of that. However the GOM in me can’t leave it at that; there are a couple of things that I needed to follow up on.

Firstly the iPad difficulties.

As mentioned it’s the device of choice for many internet users (up to 50% now on some areas of our web site), and to have a missing function when you are trying to deal with such a dodgy event is bloody annoying. I’m “Mr always reads the manual” & couldn’t report it on their app. Maybe it’s possible, I didn’t see it.

Another problem on touch screen devices is the difficulty of inspecting anything. This is particularly bad on the iPad, with Apple’s aversion to user control but I’d bet I’d have the same problem on my Nexus. On a desktop I’d immediately hover and see the underlying link in the status bar or right-click and check. Unfortunately, in this case, that wouldn’t have helped because what you see is a genuine link to somewhere on the facebook.com domain.

I’m going to reproduce the link but for your safety I’m directing it to a safe destination:

https://apps.facebook.com/notifyforfanpages

/notifyforfanpages Facebook “app”

Secondly the link bait issue.

So the link is genuine and on the facebook.com domain so it’s easy to see how the less aware might be tempted to click through. If they do, as a good scam it now displays a convincing “Security Center” page. I followed it this far but left it at that. Various scam/hoax sites describe what happens next: give us your intimate details and some financial information “just for confirmation”. And the scammers have enough to fleece you and use your Facebook account for nefarious purposes.

How does an app masquerading as an official Facebook system get through the verification process?

Dodgy Facebook ads

Another annoyance are the right column ads which seem to be an endless stream of dodgy dating sites, nutritionally suspect diets and other link bait. As part of experimenting with the profile I added a fair amount of (hopefully) innocuous information and watched as these ads changed from mostly suspect diets and other products to mostly dodgy dating sites as Facebook found out I was a mid 50s UK male. It’s almost insulting and certainly irritating to be bombarded with this sh*t!.

Goodbye Facebook, hello less intrusive sites!

Most people just post child and animal pictures, stalk their older children and like other users’ cat posts so are unaffected by these scams. I’m particularly sensitive to security issues so I’m easier to drive away which is what happened with my personal account. I found myself feeling queasy about what was being shared where. I still can’t picture where the various items could end up or how, and grew fed up of having to review my settings every time Facebook changed something. The abiding picture I do have is of Randi Zuckerberg’s reaction to some new Facebook feature which in the ultimate irony ended up all over the internet. In spite of her resources it’s still around.

So I retired and now have a “professional” account I use as a kind of DEV system.

I’m far more comfortable Twittering and posting on WordPress where the intention is to share with everyone and you behave accordingly. For limited posting I’m experimenting with Google+ although I admit to not having mastered that to my entire satisfaction yet so could encounter similar problems (so far though no diet & dating dross).

I’ve posted the message I sent to Facebook as an aside below. I don’t expect a reply but I feel better having flagged it for some robot to categorise, auto-respond and shred.

Message to Facebook

A family member just received a threatening message about abuse and termination of her business pages within 24h for "violating policies".
In spite of reassurance (and evidence from Google searches that this is a known scam) she is still concerned so hopefully Facebook are too.
The particular cause for concern is the link embedded in the message which purports to be https://apps.facebook.com/notifyforfanpages. Naturally we have not clicked the link & being on the iPad it is difficult to investigate whether it is a true link (problem 1).
Assuming it to be spam I tried to report it on the iPad but even following the help center advice I was unable to find the icon to click (forward/share) and was unable to do so (problem 2).
At this point I decided to investigate on a "proper" computer & found they the link was not false; in other words https://apps.facebook.com/notifyforfanpages exists and looks very convincing, titled "Security Center on Facebook". Naturally seeing a page like this on the Facebook.com domain many people would assume that they have to follow instructions to confirm their details (problem 3).
I don't have the sandboxed system I'd need to test further - and am already uncomfortable opening the above page which has who knows what running in the browser trying to infect my device - so can't say what may be extracted from the unwary. I leave it to Facebook to investigate further.
I realise you cannot stop every dumb user from clicking through to links which may harm them or their bank balance but the above message is particularly worrying because of its use of the Facebook.com domain. I therefore expect you to take prompt action to close the /notifyforfanpages "app" for the protection of the unwary, and at least investigate how you can stop app developers using them to lull users into following link bait.
A good proportion of your user base is business engaging with their clients/customers on Facebook which is now embedded in our daily lives. Not all businesses have highly qualified technical security teams they can rely on to catch this abuse and, like my family member, are vulnerable to it. I believe it is therefore in Facebook's interest to move rapidly on this one.
Regards Nigel Boor
(Infrequent but concerned user)

Missing the Open Source point and spawning “Rats-to-Splat”

Being a local government web manager with severely limited and diminishing resources I’m always looking for ways to save money and generally do things better. A recent report in the Grauniad about the UK government switching to open source software was obviously a real eye catcher.

It’s beginning to happen at work (a shire county) with FileZilla, Firefox and The GIMP appearing on our desktops, but we are wedded to MS Office and there have been no signs of it being replaced by open source alternatives. A move by the UK central government to Open/Libre Office would certainly get the attention of local government. Interesting.

I’ve used open source extensively on my personal computers for quite some time and even contribute a bit as a beta tester and documentation writer to a few projects in the spirit of contributing something back. Despite the leeching aspect of the cost cutting reasoning behind switching to open source, I was genuinely and pleasantly surprised to read this piece and immediately went in search of greater detail.

The Grauniad piece has many quotes but no source links (and roughly 750 comments of the “yay, stuff it to M$” and “open source is unreliable crap” variety). Not helpful if you want to know how the switch is to be achieved. Worryingly though there are no quotes supporting the headline about switching to open source software; the more accurate quote in the subhead concerns “plans to standardise on open formats” which is entirely different.

I’ve traced the source of all this to a speech by Francis Maude to Sprint14 at the end of January. Sure enough there is no mention of booting out MS for Open/Libre Office, rather a well-reasoned section about “Open standards for document formats” and even a specific statement that “It’s not about banning any one product”. All sensible stuff and really about making sure our documents can be read by anything, not locked in to one company. If we then choose to use MS Office because that’s the best value, fine.

The Grauniad should force whichever sub-ed came up with the “switching from MS Office” slanted headline to write his resignation in [open source] L^AT_EX on [proprietary] Windows Notepad.

But what else did Maude say? Splat-the-Rat!

I read Maude’s entire speech before posting these comments and something else he covered in the “Exemplars” section was the drive to cut down on the plethora of government web sites. In my job I can sympathise with his “splat-the-rat” comment about sites popping up faster than you can decommission them. I saw an email yesterday which mentioned two more we’ve spawned; I’ve also had four conversations in the past two months about new sites and seen one launched in world record time promoting a local initiative. Infuriating if you are trying to fell trees so your users can see the wood.

With all the cuts in budgets you would expect the default position on new web sites, which are a continuing expenditure and demand staff time to maintain, would be to keep them to a minimum. Unless it fulfils one of three criteria it should never get off the ground.

1. it allows 24/7 transactions for the consumer which are more convenient for them and cheaper for us
2. it provides some vital information not easily discovered via Google^*
3. it pays for itself by supplying services users are prepared to pay for

So how did one of the sites I mentioned above get commissioned? Proudly displayed in the footer among the logos: “Funded by The Department for […]”. And where is the Df[…] website? The rat has been splatted and is to be found at www.gov.uk.

It happens too frequently. Some central government initiative sprays funding around and local government uses it to create what are effectively vanity publishing web sites. Scrutinise this Mr Osborne if you want to make some “efficiency savings”.

The phenomenon has to stop. Initiatives like sustainable transport, public health, recycling/waste reduction and consumer protection have the majority of their content in common, with some aspects which are local. For example, advice on measles is the same whether you are in Norwich or Northumberland; all that is local are the locations of pharmacies or medical centres. Why should every local health authority produce web pages giving the same advice? Can’t we all get our respective acts together to co-ordinate single resources on nationwide sites which include location aware components to display anything that might be specific to a locale.

This is not a new concept. I’ve re-blogged Richard Copley’s recent post on this subject although he restricts himself to just a local www.gov.uk.

So over to Francis Maude, Eric Pickles and all those local authority politicians and officers whose vanity gets in the way of co-operating because they can’t agree how to share funding and refuse to sacrifice their identity and use national sites.

---

* Other search engines are available