Inside Facebook security: defending users from spammers, hackers, and 'likejackers'

facebook security iphone

If Facebook were a country, it would be the third largest in the world, just behind India and China. And like any country, Facebook has a police force to keep things under control. 300 people have been entrusted with the responsibility of keeping a 900-million-person virtual society from itself and from external forces. How do you look after people who use the same username and password on every website and get "hacked"? What about "likejackers" determined to make people spam themselves over and over again? What do you do when Facebook users keep clicking on tantalizing links like "WATCH: Justin Bieber stabbed by lunatic fan"? Facebook's deal with the world's biggest anti-virus companies to include their blacklists in Facebook's URL-scanning database got us thinking about other things the company does behind the scenes to keep its users safe, because a hacked, spammed, and depressed user isn't coming back for more. "Creating friction is the key to making users aware of what they're actually doing," Facebook Security and Safety team member Fred Wolens said, because a vast majority percent of "hacked" Facebook accounts don't get hacked on Facebook.

Dumping and scanning

Facebook starts by scanning the usual suspects of PasteBin-esque websites weekly to check for hackers dumping thousands of usernames and passwords. Facebook cross references credential dumps with its entire database of user credentials, then alerts any users that match to change their passwords. By signing up for Facebook, you've inadvertently entered yourself into its witness protection program, of sorts. During events like the Gawker credentials leak or Playstation Network security breach last year, Facebook alerted users if their passwords were on the loose. "We keep our ear close to the ground," Wolens told us.

Facebook cross references credential dumps with its entire database of users

Another measure Facebook takes is stripping every user of their referral URL when they click one of the two trillion links posted to Facebook every day. In other words, when you click a link on Facebook that takes you to an ESPN article, ESPN cannot see what Facebook page referred you to its site, and instead sees something like "facebook.com/l.php?u=http%3A%2F%2F." These "sanitized" URLs prevent external websites from using personal information against you.

Likejacking, clickjacking, and password hacking

A popular and nefarious way that spammers manipulate you is by putting invisible Like buttons on top of real buttons you can see like "Download File." For example, if you're trying to pirate an album from a suspicious site, the Download link might actually be a Like button that subscribes you to content from that site. Without even knowing it, you are liking a page and thus polluting your friends's News Feeds with a spam post, which in turn generates ad impressions for spammers. These spammers can also push information to you in your own News Feed, much like brands can whose pages you've liked. Facebook responds to "likejacking" by sometimes showing a pop up that confirms whether or not you meant to Like that website.

Another type of "clickjacking" that spammers engage in is posting crazy looking pictures and videos. Clicking a link to an article about Justin Bieber allegedly killing a fan is not going to get your account "hacked" instantaneously (he didn't, by the way). The goal of many of these spammers is to generate impressions, just like banner ads do for content farm websites. Spammers get paid every time somebody clicks a link and sees an ad, so Facebook spots and kills these types of posts whenever they crop up. "This is us wanting to protect our users and de-incentivize spammers, because where they monetize is off of Facebook," Wolens said. It's kind of like if the government came around to your neighborhood and grabbed spam fliers others have pinned on your door.

The goal of many of these spammers is to generate impressions, just like banner ads do for content farm websites

When somebody has accidentally liked a page or clicked a nefarious link, it's unlikely that their Facebook account will be compromised. The real problem is that most people use the same username and password on most sites they sign up for. When a user's credentials for another site are stolen, thieves simply try them on banking sites and social networks like Facebook. In many cases, accounts get compromised when people type their username and password into a phishing site without knowing it. There are also a large amount of cases where people leave Facebook open after logging in on an Apple Store or library computer. Almost always, having your password "hacked" really means that you (or another site you've signed up for) lost your password or it's been stolen. So what about the minority of users that get hacked "on" Facebook? Malware is the chief cause of accounts getting compromised without an obvious cause, Wolens said. In order to detect infected users, Facebook employs a variety of automated systems to flag accounts sending tons of messages and exhibiting other anomalous behaviors. If you're confirmed to be infected, Facebook alerts you and helps you sort it out using McAfee's Scan and Repair software. The company also provided a page that lists all the various threats to Facebook users such as Koobface, which sends out Facebook messages on your behalf once you've downloaded a malicious file posing as Adobe Flash Player.

The missing friend request

When someone friends you on Facebook, that request doesn't always get through to your inbox. Facebook employs a complex algorithm to decide the likelihood that you know somebody, and whether or not to push through a friend request or place temporary limits on the sender's friending abilities if they are being abusive. In real life, this would be like the government stopping random people from approaching you in a public place and saying hello. If these people message you, their messages will go to your Other Messages folder, a place most people don't explore. "With a high degree of certainty, we know who you would be friends with," Wolens told us.

"With a high degree of certainty, we know who you would be friends with."

If you have no friends in common with "David," who lives in Brazil, and who friended 50 people in the last hour, it's unlikely you'll receive his friend request. But what if David's an exchange student who just arrived in town? A local check-in in your area, new school email address, or anything else that might tie him to you might instantly validate his friend request as authentic.

Security inside the largest social network

Fbsec Facebook's database of malicious links contains billions of bad URLs, and its spam filters are precise enough that just .5 percent of users see spam on a given day, by its estimates. Facebook does it all by monitoring every piece of content that gets posted on the social network, which raises many questions about how Facebook is governed — the Security team's logo even has a police badge on it. The balance between security and freedom is one of the oldest debates in governance, and Facebook now manages an enormous community of people with little say in how that community is policed. And once in a while, Facebook gets it wrong and deems a benign comment "irrelevant" or "inappropriate," which tangles the line between censorship and safety.

The difference for now is that we're all choosing to use Facebook and explicitly accepting the company's monitoring and control — they're unfortunate preconditions of the virtual society. Without these rules, a site that entertains us for hours each day might descend into a spam and crap-filled cesspool, which isn't very fun. And unlike the real world, if these rules change, it's a lot easier to delete your Facebook profile than it is to relocate to another country.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.