Joe Wein's blog

Comments from Tokyo, Japan

The “Find your stalkers” Facebook scam

February 24th, 2011 · 12 Comments

Today I received a strange Facebook message. Supposedly one of my friends (an old classmate of mine in Germany) had posted on my wall, but the posting was in English. Now this German friend, unless he happens to forward me an English joke, always writes to me in German. There were several of these wall posts (please DO NOT CLICK on those links!):

23 February at 17:35:
According to http://goo.gl/6hr4J you’re my top stalker. Creep.

23 February at 17:35:
Secret tool shows who stalks your pics http://tinyurl.com/procreeper

23 February at 17:35:
Hey! This is awesome
Insane! Awesome tool to see who looks at your pics >> http://goo.gl/XsUqi

23 February at 17:35:
Hey! This is awesome
New FB tool shows who stalks your profile– http://goo.gl/FTx5T

23 February at 17:43:
Hey, whats happening?
Secret tool shows who stalks your pics http://goo.gl/DxvMD

So I contacted my friend and asked him if it was really him who’d written that or if his facebook account had been hacked. He replied that he wasn’t him.

I investigated the links, which use the Google URL shortening service to hide the
target URL:

tinyurl.com/procreeper => procreeper.info
goo.gl/6hr4J => theprochecker.info/?h
goo.gl/DxvMD => myprochecker.info/?i
goo.gl/FTx5T => procheckers.info/?e
goo.gl/XsUqi => theprochecker.info/?b

Domains procreeper.info, myprochecker.info, procheckers.info and theprochecker.info are all hosted at the same IP address (98.126.9.210, Krypt Technologies) and use the same name servers (ns1.imgurnot.com, ns2.imgurnot.com). The registrant is hidden behind a WHOIS proxy. The reverse DNS name of the host is “wowchatroulette.info“.

Here are other domains that appear connected to these domains (this is probably just the tip of the iceberg):

  • fb-creeper.info
  • fb-creeper.info
  • fbcheckers.info
  • fbcheckersnow.info
  • fbcreeper.info
  • fbcreeper.info
  • fbcreeperonline.info
  • fbcreeperonline.info
  • fbcreepers.info
  • fbcreepers.info
  • fbisfun.info
  • fbpromo.info
  • myfbcheckers.info
  • myprocreeper.info
  • newfbcheckers.info
  • omgfbisfun.info
  • procreep.info
  • procreeper.info
  • procreeperonline.info
  • procreepers.info
  • profilechecker.info
  • profileseek.info
  • profilespy.info
  • profileview.info
  • profileviewers.info
  • thefbcheckers.info
  • thefbcreeper.info
  • thefbcreeper.info

These sites have messages such as:

Find YOUR Stalkers

Find out who spends excessive time with your photos, reading your old wall posts, and looking at your friends list.

This is a scam designed to trick people into running a script on Facebook that will have a message sent to all their Facebook friends and to get them to also visit such websites. Anti-malware site TrendMicro warns:

Malware type : Spyware
Destructive : No
Platform : Windows 2000, XP, Server 2003
Encrypted : Yes
In the wild : Yes

This malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it poses as a Facebook stalker finder to be able to infect Facebook user accounts

(…)

This malware may be hosted on websites that run a malicious script when accessed by unsuspecting users.

It poses as a legitimate Facebook application. It propagates by sending IMs and status messages with links to websites where it can be downloaded.

This spyware executes when a user accesses certain websites where it is hosted.

See also this TrendMicro blog post on the subject.

If you have received wall posts like that in the name of a friend, click on the X to the right of the posts to delete them and alert your friend! Do not click on any of the links in the malicious posts.

Tags: scams · spam

12 responses so far ↓

  • 1 Kavya // Feb 24, 2011 at 20:19

    Hi.. I have the same kind of posts. I am not getting the option to delete it. Can you please help me on this?

  • 2 Joe Wein // Feb 24, 2011 at 20:49

    Are you logged in to your Facebook account when you visit the page with the posts? You need to be logged in to your FB account, or else you won’t get the “X” to click on, as only the page owner can clean the page.

  • 3 Christine // Feb 25, 2011 at 05:47

    What if one has already opened one of the webpages mentioned above… can I somehow know if I have this malware in my computer now? And get rid of it somehow?

  • 4 Joe Wein // Feb 26, 2011 at 08:35

    @Christine:

    I would recommend Microsoft’s Malicious Software Removal Tool (part of Windows Update) and Malwarebytes’ free Anti-Malware software.

  • 5 francesco // Feb 26, 2011 at 09:00

    do you know if it works on linux as well?

  • 6 Jennifer D // Mar 1, 2011 at 09:18

    I have a Mac; am I likely to be infected? Thanks for posting this!

  • 7 Joe Wein // Mar 1, 2011 at 23:24

    @Jennifer D:

    There are far fewer malware attacks against Macs, since due to their smaller numbers they’re less of an attractive target for malware writers.

    However, if you followed the instructions in those malicious links, your friends could have been invited to malicious sites where they could have got infected.

  • 8 vector // Mar 7, 2011 at 01:01

    hi… thanks fo rthe good and rather useful post

  • 9 RealTime - Questions: "What happens to a facebook account when...?" // Mar 19, 2011 at 01:42

    [...] [...]

  • 10 Arno van der veen // May 4, 2011 at 08:47

    tnx a lot for investgating it.. saves me a lot of time..

  • 11 Facebook Application For Facebook Stalkers | Benaughty Facebook // Nov 19, 2011 at 08:37

    [...] no way to tell who has looked at your profile. And there never will be :(Powered by Yahoo! AnswersSusan asks…Is the facebook application STALKER CHECK for real?If so, is it ranked on who visits yo…ER CHECK for real?If so, is it ranked on who visits your profile most often? or who last visited [...]

  • 12 Charlie Nelson // Jan 9, 2014 at 07:49

    I received a landline phone call from a man saying he was a Microsoft technician and that they had received info from my computer that it had a serious infection. He told me to hit the windows key and R key which brought up the run box. Then he told me to do the windows key & R again and then go to my downloads and locate an item that would be a red A. I told him I wanted proof of who he was. He rattled off a bunch of gibberish so I told him I wanted to talk to his supervisor. The supervisor came on and started the same gibberish the other guy had said. I told him that if he was at Microsoft then he had info about my computer and to read me what he had to verify that he had info and until he could prove who he was I wasn’t about to download anything to my computer!! He hung up! I assume these guys are calling to get an unsuspecting person to download malware.

Leave a Comment