Facebook link spoofing: are you sure that this link is safe to click?

Be careful: that link on Facebook you want to click might show you malicious content

Fake news,^[1] click-fraud and phishing campaigns are the part of Facebook’s community. Unfortunately, the world’s largest social network is no longer a safe place to be. You cannot trust every link on timeline and message received on Messenger. Cybercriminals and crooks managed to launch various illegal activities in order to reach users and steal their personal information.

During the past several years, numerous versions of the Facebook virus appeared. However, it seems that this cyber threat will not go away anytime soon. Researchers have just discovered a flaw that allows spammers or attackers spoof links shared on Facebook. Therefore, you should not click on each exciting YouTube or other links your friends shared because it might lead to dangerous websites.

How spoofing links on Facebook works

Each link posted on Facebook has a few main components: the title, description, image and URL address. It doesn’t matter if you share a link to the article or video, these elements will appear in the post. Not so long ago pages were able to edit this content before hitting the “Publish” button. However, due to phishing attacks and fake news, this feature was disabled in July 2017.

However, Barak Tawily, a 24-year-old security researcher, discovered that evil-minded people can still post malicious links without being banned from Facebook. Spammers can post spoofing URLs by taking advantage of how the social network fetches link previews.

When a user shares a link, the social network scans it and looks for the Open Graph meta tags. In order to display link’s URL, image, description and other entries, Facebook scans for “og:url,” “og:image” and “og:title” tags. However, the problem is that social network does not verify if the link in “og:url” tag is the same as the landing page.

Therefore, spammers, scammers, and other crooks can take advantage of this flaw. They can enter their preferred URL address and hide it under legit website’s address. For this reason, users can get easily tricked into clicking a fake YouTube link that leads to tech support scam, phishing or even malicious website.

Facebook does not admit that there’s a problem

According to the media,^[2] Facebook does not agree that there’s a flaw. The social media giant tells that they use “Links Him”^[3] system which protects users from phishing attacks and blocks malicious links. However, security experts doubt that this security system can work as good as Facebook claims. The issue with link verification allows attackers including spoofing links that might be hard to detect for the “Links Him.”

Indeed, the reports about new Facebook video virus versions that spread on social network or Messenger prove that there’re some security vulnerabilities. Apart from spams and ridiculous scams asking to tell friends not to accept friend requests from hackers,^[4] malicious viruses, such as Locky ransomware,^[5] has also managed to step inside Facebook. Therefore, users have to stay vigilant in order not to lose their files or personal information.

Security tips for Facebook users

It might be hard to identify which link on the Timeline is malicious. However, you should always be vigilant and pay attention to these details:

• Hover over the link without clicking it in order to see the URL address it will redirect. If it has random words or unusual end of the domain, do not click it.
• Strange sentences, grammar or word of use mistakes also warn about potentially dangerous content, especially if a user shares a link from a popular website.
• Click-bait headlines, shocking or entertaining news are often the ones that are dangerous to click.
• If a person who is not active on Facebook starts sharing strange content, it’s likely that his or her account has been hacked and spreads potentially dangerous content.
• If you receive a video or other link on Messenger, always ask a person if he or she wanted to share this content with you. It’s possible that this message was sent without user’s knowledge.