Understanding the domains involved in malicious activity on Facebook


Alin Damian

Bitdefender, Romania
Editor: Helen Martin


Recent years have been marked by an explosive growth of social networks, with Facebook becoming one of the most attractive channels for cybercriminal activity. Alin Damian analyses some of the malicious domains extracted from Facebook applications and posts.

Recent years have been marked by an explosive growth of social networks including Facebook, Twitter and Google+. At the start of 2011, Facebook had around 600 million registered members – that number is now fast approaching one billion.

This paper will analyse malicious domains extracted from Facebook applications and posts, based on scams detected by Bitdefender’s Safego product. Previous studies of malware on Facebook have tended to focus on revealing the ‘social engineering’ part of the attacks, analysing their content and the way they spread. We will try to go deeper, looking at the domains on which these malicious applications are hosted, and the connection between applications’ hosting domains and those associated with more traditional methods of threat distribution (spam, phishing, etc.).


With nearly a billion registered users, more than 2.7 billion ‘likes’ and comments per day, and a huge presence all over the world, Facebook has become one of the most attractive channels for cybercriminal activity.

Experimental set-up

This study is based on URLs extracted from over 20,000 scam items (posts, comments, videos, etc.) detected by our Safego product. From these items we have extracted around 10,000 unique URLs, approximately 50% of which point to Facebook pages and applications (Figure 1).

URLs extracted from infected items flagged by Bitdefender Safego.

Figure 1. URLs extracted from infected items flagged by Bitdefender Safego.

Our first goal was to determine how many of the domains were also encountered in more traditional methods of threat distribution. We found that almost 47% of the analysed URLs had previously been seen in other channels of threat propagation. We split these into four categories: malware, spam, fraud (scams) and phishing (Figure 2).

Different types of threats found and their distribution.

Figure 2. Different types of threats found and their distribution.

Next, we analysed the URLs that hadn’t been found on any blacklists. The most striking observation in this case was the large presence of URL-shortening domains and hosting domains.

Distribution of URLs not found on blacklists.

Figure 3. Distribution of URLs not found on blacklists.

Of the shortening domains, the most dominant service was ‘bit.ly’ (90%), followed by ‘t.co’, Twitter’s shortening service. It is interesting to note that the same malicious URLs are used across several different social networks, combining Facebook, Twitter and others.

Distribution of shortening services.

Figure 4. Distribution of shortening services.

When it comes to hosting domains, the situation is a little more balanced. ‘Blogspot.com’ is the domain that appears most often, followed by Amazon’s ‘amazonaws.com’, and ‘co.cc’, a well-known domain in the world of scams and fraud.

Distribution of hosting domains.

Figure 5. Distribution of hosting domains.

A few questions probably come to mind, such as ‘What are these companies doing to stop scams being hosted on their domains?’ and ‘How long are these websites available before they are taken down?’. Unfortunately, the answer to the first question is ‘Not very much’. Of 121 malicious domains hosted at ‘blogspot.com’, about 94% remained active after more than 20 days. We consider this to be too long. (According to [1], on average, a phishing domain lasts about three days.)

Dangerous Facebook applications

A recent dangerous Facebook application that comes to mind is a scam disguised as an invitation to view a leaked sex video.

When the user attempts to view the video they are prompted to install a YouTube extension (which, of course, is malicious code rather than a real YouTube extension). Once installed, the extension changes all newly opened browser tabs to a page advertising an adult chat service.

The scammer is also now able to impersonate the user (by reading the cookie stored on Facebook.com), advertise the scam and ‘like’ the scam’s Facebook page from the victim’s account.

Another scam that deserves a mention is a ‘survey scam’ that tricks Firefox and Chrome users into installing a ‘Prenium’ plug-in.

An initial Facebook post invites the user to view a YouTube video showing an Italian model/TV host in an embarrassing situation. However, the user is told that they need to install a plug-in in order to view the video.

After following the instructions for installing the plug-in, the video described in the initial post is played – thus suggesting that this was a legitimate download. However, on returning to Facebook, just a loading icon is displayed.

Eventually, the browser redirects the user to a page stating ‘Your account was recently accessed from a location we’re not familiar with’. The text goes on trying to scare the user into believing that something is wrong with their Facebook account. However, the option to ‘Continue’ with the account verification process is not available because it is blocked by a scam survey.

In most cases, closing the page will get you out of this tight spot, but in this case the warning page comes back up no matter where you click: Profile, Messages, Privacy Settings etc. – all roads lead to the survey.

The browser add-on method as described above is a recent development in the world of social scams, and it seems to be quite efficient.

Benefits gained by cybercriminals

Ultimately, cybercriminals are seeking financial gain when creating and spreading malicious Facebook applications.

One of the main purposes of these Facebook applications is to spread malware, which can then be used in many harmful ways.

Some of the applications are intended to steal personal and sensitive information from users. For example, a user divulging his mother’s maiden name (the old standard used by many financial and banking sites to confirm identity and gain access to account information) can then be exposed to different types of attacks.

Other applications will lead to phishing websites, through which the cybercriminals may steal money or personal data.

The benefits for cybercriminals of the well-known ‘likejack’ campaigns are interesting. In a successful campaign, a Facebook page gains a large number of ‘likes’. This can be monetized in two ways:

  1. The cybercriminal may change the content of the page and advertise an attractive contest with a large sum of money or other valuable item as the prize. A page with 100,000 likes will seem more credible to users than a brand new one. Users will then be duped into entering the competition via some method that generates revenue for the attackers. For example, a Facebook page that impersonated Orange Romania claimed to be organizing a contest in which an iPhone 4S was up for grabs. The page claimed that, in order to be entered into the prize draw, users had to send an SMS (at the cost of two euros).

  2. A page with a large number of visits or ‘likes’ can be used to obtain money from advertising or pay-per-click websites.


To determine the lifespan of a Facebook application, we collected data for more than 1,000 applications over a 10-day period. On the 11th day, we rechecked the status of each of them. The results are plotted in Figure 6. We found, for example, that 33% of the applications collected on the third day remained active for eight days, until the end of our testing period.

Persistence of Facebook applications over time.

Figure 6. Persistence of Facebook applications over time.


We have seen that almost half of malicious URLs that spread in social media environments are also found in other traditional threats and the most dominant category found is ‘malware’. The other half is represented by URLs that are designed to be used in social media because they sit very well in this environment. We also showed that cybercriminals use malicious URLs in more than one social network, maximizing the chances of making a profit with minimum effort.

The goal of malicious Facebook applications is to help cybercriminals gain money from illegal activities – which may range from installing infected executables on users’ machines, to innovative and complex scams that trick users, or stealing sensitive information via websites that propagate through spam and/or which impersonate legitimate companies (phishing).


McGrath, D.K.; Gupta, M. Behind Phishing: An Examination of Phisher Modi Operandi. Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.



Latest articles:

APT vs Internet service providers – a threat hunter's perspective

Organizations in the telecommunications sector are faced with a multitude of threats, ranging from targeted attacks to malicious actions attributable to the criminal or activist world. Telsy researcher Emanuele De Lucia reports what he observed in…

VB2019 paper: APT cases exploiting vulnerabilities in region‑specific software

Some APT attacks are carried out by exploiting vulnerabilities in region-specific software. Government agencies frequently use such localized software, and this tends to be the target of attackers. In Japan, there have been many cases where attacks…

Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

Web application vulnerabilities are an important entry vector for threat actors. In this paper researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting…

VB2019 paper: Cyber espionage in the Middle East: Unravelling OSX.WindTail

It’s no secret that many nation states possess offensive macOS cyber capabilities, though such capabilities are rarely publicly uncovered. However, when such tools are detected, they provide unparalleled insight into the operations and techniques…

VB2019 paper: 2,000 reactions to a malware attack – accidental study

This paper presents an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. Many of the victims were unaware…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.