In recent years, publishers, including BuzzFeed, have embraced embedded Facebook comments as a way to boost their readership, promote sharing, and outsource the painstaking work of community moderation. According to a new report from the security giant Symantec, these comments have become a breeding ground for scammers, who spread spyware and malware by baiting users with spam that promises free first-run movies.
"Enabling Facebook comments is supposed to make things more social," the author of the study, Satnam Narang, a senior security response manager at Symantec, told BuzzFeed News. "But anytime you introduce something new it's going to be ripe for the picking for scammers."
The Facebook comment plugin isn't new; the company introduced it in 2009. But this scam may well be. Here's how it works: Scammers, using either fake user accounts or Pages, leave comments below popular articles (Narang originally found the scam while he was reading the comments in an article on BuzzFeed about The Walking Dead). The comments contain a bit.ly link that redirects users through Adcash, an Estonian advertising network that, according to Symantec, "has been known to host advertisements that are malicious." (Adcash did not respond to a request for comment in time for the original publication of this article. For their full statement, see below.)
From here, users are taken to a fake video player. Clicking on the fake video redirects users to a technical support scam site. These sites, which have been around for years, induce pop-ups that falsely inform users that they have been infected with malware and typically include a number to call to "remove" the supposed malware. (The number usually calls a tech support worker who offers to clean a user's computer, for a cost, completing the scam.)
The "free movie" scam isn't ubiquitous, but it's also not limited to BuzzFeed's Facebook comments: Narang found examples of the same scam on ESPN and the Huffington Post. It affects users on PC, Mac, and iPhone. And it can be extremely effective. One fake video player, which claims to show last month's Paul Rudd vehicle Ant-Man, has been clicked on more than 5,000 times.
The "free movie" scam on Huffington Post and ESPN.
In a statement, a Facebook spokesperson told BuzzFeed News, "We proactively fight against this type of spam and malicious content in our Comments Plugin, just as we do on Facebook.com. We use automated systems and dedicated teams to classify and catch malicious actors, and when we identify spam we enforce against it by banning fake accounts and Pages, blacklisting bad links, and down-ranking spammy content."
However, according to the report, the scammers have devised clever methods to avoid automated spam filters. Scammers initially leave a purposefully innocuous comment; the example Symantec gives is "I like this." Shortly after the comment posts, the author edits it to add the "free movie" prompt.
On the publisher side, these scam comments prove surprisingly difficult weeds to pull. While community moderators do have a variety of options once they discover spam Facebook comments, including banning the user and reporting the user to Facebook, they do not have access to a real-time filtering system for Facebook comments, which would allow them to discover and remove spam as it is posted.
So even though, as Facebook told BuzzFeed News, the company "provides website owners with several anti-spam tools which we update as spammers change techniques," these kinds of scams may be a consequence the publishers that use embedded comments have to deal with.
In a statement, Adcash responded to BuzzFeed News regarding Symantec's assertion that the ad network hosts malicious ads:
"The quality of our campaigns is always at the forefront of our thinking. We are constantly working as diligently as possible to ensure that nothing nefarious or malicious slips through the net, but, regrettably, there are times when “bad” campaigns end up on our system.
All campaigns, when they are first submitted, must undergo our validation process to ensure that they adhere to our policies. We did previously have an issue whereby malicious advertisers could change their campaign URL to redirect the user to a page which was not compliant.
As soon as we are made aware of these campaigns we work as swiftly as possible to remove them and deny access to those responsible for launching them. Going forward, we are introducing more advanced technological systems to help us with this and, at the same time, we are expanding our campaign validation team to help guarantee the quality campaigns."