Survey scams are a daily occurrence for many Facebook users, and “See who’s stalking you on Facebook” is an often-used proclamation to lure the users to install random applications that post messages on their Walls to propagate the scam further.
Facebook fights every day to take the rogue pages and applications down, but it seems that as soon as one is removed, another one appears. Scammers have grown wise, and are beginning to use fast flux methods to keep the scam alive longer.
Instead of simply posting a shortened link that takes the user directly to the malicious Facebook application, they have begun using remote redirector sites, where a script chooses an application at random from a list containing the active ones.
This means that the link is different every time, and as the list is continuously updated, the scam lives on and on. “The remote sites could be hijacked or created by the attackers themselves,” explains Symantec’s Candid Wueest. “They are all showing the Facebook icon as the favicon and have a subdomain name corresponding to the application’s canvas name.”