Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company's antispam defenses.
The spammers have modified their handiwork so it will get past Facebook's scam detection system, company spokesman Fred Wolens told CNET today.
"There are new methods they've picked up after we put out the protections on Thursday," he said. "It's an arms race. We put out new protections and they come up with new campaigns...When we announced the new security features, they were calibrated for all the self-XSS attacks we'd seen at the time."
The company began turning on a feature last week that displays warnings when it detects that users are about to be duped by cross-site scripting (XSS) and clickjacking attacks. In such attacks, people are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).
Yet there were several XSS attacks this weekend and today and warnings were not displayed. In one of them, users were tempted with a post that said "Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!" (On a side note, Wolens artfully dodged the question of whether Facebook would ever add a "dislike" button.)
In all the cases the user action results in the spam messages being re-posted to the victim's Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers get money for each survey completed and the farther the spam spreads the more money that can be made.
But "the hole is still there because they are still able to generate these posts," by tricking users into clicking links and following further instructions, he added.
Facebook is learning and improving the situation with each new spam campaign and iteration of its defenses, Wolens said.
"Within a few hours of this video (spam campaign) we were able to put that information back into the system to protect people," he said.