Scammers Turn to Affiliate Marketing Scams After Facebook Cracks Down on Clickjacking and XSS

Facebook frauders have figured out how to double their fun and are increasingly using scams to fuel affiliate marketing scams, according to a new report from Internet security firm Commtouch.

Earlier this year Clickjacking and self-XSS (users being tricked into running malicious code that would hijack their information) were a major headache for the social network. In May, Facebook introduced new security features such as additional login authentication options and Like confirmations specifically to combat the problem. Most browsers also updated to make it harder to execute XSS attacks, and as a result, scammers have turned their attention elsewhere.

According to Commtouch’s year-end Internet Threats Trend Report, 74% of Facebook attacks now lead to affiliate marketing sites. Once on the site, users are prompted to sign up to receive a fake free gift, earning the scammers affiliate bonuses for traffic and often providing them with personal data for identity theft. The rest of the scams are either hoaxes, defacement, malware attacks or Like collection with no clear purpose.

The tactics scammers most commonly employ to trick users into visiting a site, adding an app or liking something are probably familiar to anyone who spends time on the social network — users are either offered free goods, lured in with sensational headlines, called to action to see some sort of amazing video or told to install an app. Overall the most used tactic in 2011 was the “must see this” lure, accounting for 36% of all scams. Between June and December the free goods offer increased in popularity, mirroring the rise of affiliate marketing scams. More than 26% of scams now originate from an offer for free goods.

The most common vector for Facebook scams are now users themselves, with 48% spreading through Likes and shares. Clickjacking accounted for 24% of scams, rogue apps 16% and malware and self-XSS 12%.

For its part, Facebook now scans almost 2 trillion link clicks and blocks more than 220 million posts and messages with malicious links every day. The social network has greatly cracked down on fake applications, and Commtouch found Facebook has improved the speed at which new scams are detected and removed. The entire Commtouch report can be found here.