November 22, 2008 12:47 AM   Subscribe

I just got a wall posting on Facebook from a friend, that said: "not sure if you know about this but your pic is on hmmmbook.com." Site is really creepy. Anyone know what this is about? Heard of it? [Note: site seems like bad malware-ish news. Visit at your peril. -cortex]

I went to that address and was surprised by what I saw. Obviously, I didn't fill out the info it wanted me to... I navigated away and had to deal with numerous pop-ups. A bit of searching shows that she "posted" it on about 20 walls tonight. Although if she's on the East Coast like I think, it's about 4AM there and I doubt she's posting. Is this some strange kind of Facebook virus/trojan/evil doer? I don't have the patience to find out later - has anyone dealt with this before? Should I be worried about my e-mail address/IP?
posted by keribear to Computers & Internet (28 answers total)
Almost certainly a spam or malware website (e.g. spyware or virii). I think what it does is grab information about your Facebook login through some vulnerability and grab your profile image -- it then tries to collect information about you and possibly send you malware.

Just to be safe, run SpyBot and any anti-virus software you have.
posted by spiderskull at 12:54 AM on November 22, 2008

Yeah im pretty sure its spam, Ive seen a couple of different ones (gabbletoken.com and tradingimagesfun.com) are a couple of other ones. My guess is that its spam like all the myspace ads.
posted by lilkeith07 at 1:07 AM on November 22, 2008

Was this on your wall Wall or one of those third-party add-ons like Super Wall? In the latter case I'm not surprised at all and it's spam. If it's the tried and true Facebook Wall then I'm mildly curious about how it happened and it's spam.

Your pic is probably not on hmmmbook.com.
posted by Bokononist at 1:44 AM on November 22, 2008

Yeah, definitely a phished account/application hack--your friend fell for it, and it spammed everyone in their friend list's walls--just look at their wall history to see who they've been chatting with.
posted by disillusioned at 1:52 AM on November 22, 2008

Okay, it gets weirder if you fake-fill information. For instance, if you say you're there from Facebook, they actually try to shuttle you away. If you say you're there from somewhere else, they push an "IQ" test and then ask for your mobile number so that you can subscribe to their monthly service:

Summary Terms & Conditions:
This is an auto renewing subscription service on short code 86455 and available to users over 18 for $9.99 per month on AT&T, Verizon Wireless, Sprint and Nextel {3 alerts per week}, Virgin Mobile USA, Cellular One, Cincinnati Bell, Centennial Wireless, Unicel and U.S. Cellular. For $6.99 per month on Boost and Cricket {2 alerts per week}. For help, text HELP to 86455, email 86455@sms-helpdesk.com. or call 1800 235 7105 for automated help or call 1800 416 6129 for a live operator.
posted by disillusioned at 1:57 AM on November 22, 2008

Response by poster: Thanks, all. Bokononist - It's not a third-party app at all - just my regular ol' wall. I didn't think Facebook was prone to these types of things like MySpace is. Will run some spyware checker in the morning... makes me glad I'm using a MacBook. :)
posted by keribear at 2:28 AM on November 22, 2008

I just went to the page to check it out and got a pop up message saying that a photo I uploaded to Facebook within the last 48 hours was now on their site. I had just uploaded a photo to Facebook about an hour ago but left the hmmbook site without checking to see if my photo was up there.

Now wondering if I've picked up some trojan or something just by visiting the site. Off to run my spyware software!
posted by gfrobe at 2:54 AM on November 22, 2008

Yeah, I've had a few accounts of Facebook acquaintances hit by 'hacks' (probably a bad choice of installed applications) that made them spam everyone's wall. Next time you get a message with a strange link, check their page history to see if they're posting it on everyone's wall. If so, don't click, and if the spam just happened, send your friend a friendly notice to change their password and uninstall some apps.
posted by flibbertigibbet at 3:23 AM on November 22, 2008

Web of Trust add-on for Firefox says "Warning: This site is rated as dangerous" with a big red 'O'.
posted by K.P. at 3:23 AM on November 22, 2008

I just logged into hmmmbook with a fake referrer, name, and e-mail. It asks how I got to the site (I said Yahoo), then says "(fake referrer name) wants you to participate" and shows a web page which is just an error message (http://tracking.profitsource.net/NA.html)

My guess is if it worked properly it would be sending me to an affiliate link for a credit card or something like that.

So, yeah, it's spam.
posted by Mike1024 at 4:12 AM on November 22, 2008

did you get to the end?

it just shows a pic of a monkey, its a prank
posted by compound eye at 4:21 AM on November 22, 2008

compound eye: "did you get to the end?

it just shows a pic of a monkey, its a prank


I started filling out fake info, and tried to mark several sites (Yahoo, Myspace, etc) as providers, but they all gave "We are not allowed to use this provider" errors. Finally I selected "other" and proceeded.

I filled out fake info on who sent me to the site (my best friend Apple Obama), what luck! Turns out Apple Obama had uploaded pictures of me within the last 48 hours!

Then the site gave me a 10 question IQ test, and (I kid you not) after realizing that I didn't care what the site thought of my IQ I just guessed to speed up the test.

Then it had me pick out a car I was interested in and enter my contact info so dealers could contact me. The site was pretty good at kicking out fake phone prefixes and zip codes. Then it listed some dealerships and claimed quotes were on the way.

After that it started asking for more personal info to run a credit check for an auto loan. At that point I got bored and gave up. The URL changed several times, so I'm guessing it's an elaborate Social Security Number harvester for ID theft.

From one stage to another there was no continuity. No mention of the photos during the IQ test, no mention of the test when looking for a car, etc. It's all kinds of crazy fake.
posted by Science! at 5:24 AM on November 22, 2008

Had something similar to this posted to my wall by a friend-only the friend didn't post it, it was some hack. The namf ef the website was different-I forget what it was.

This happened just this past week.

In my case I went to a screen that wanted me to login. I got a bad feeling about it so navigated away. After googling I found it was malware.
posted by St. Alia of the Bunnies at 5:24 AM on November 22, 2008

Wow, that was totally scammy. One path led me to a facebook password stealer, and when I went back, I got the IQ test that would charge $10 a month to my cell phone. Next I got the "sell gold" ad where they wanted my information, and when I quit out of that, I got the monkey picture. Very evil.
posted by procrastination at 5:36 AM on November 22, 2008

gfrobe, don't bother investigating. The popup lies, it ALWAYS says that message regardless of whether you've actually done something or not. It just so happens many people use Facebook, and if they spam Facebook as well the odds of catching a sucker shoots up. It's just a form of super spam, where one spam completion leads to another, as Science! found out.
posted by Meagan at 6:28 AM on November 22, 2008

Best answer: I got the same thing last week. The guy deleted all the posts when we realized what happened. This blog will show you what the website is. He tested it just for fun. It looks like all the IQ tests and such were down when he tried it. At the end of all the passwords and such, the picture is a monkey. Then it claims it is a joke and it gives you ways to send it to your friends "to prank them too." It also has different domains and different ways of saying it so it won't get caught by spam filters.
posted by Deflagro at 8:07 AM on November 22, 2008

Registrant (Arzoomanian, bulletinpics@gmail.com) owns wayizer.com, an alleged phishing site, as well as 490 other domains, all of which forward to friends-to-friends-only.com (created 10/8/08), which in turn pulls content from http://rotating-destination.com/taf/taf.html.

According to this alert, Arzoomanian and the sites' registered T#s are affiliated with Spin Night Club Promotions and Alexis Park Resort in Las Vegas.

The sites' registrar, Moniker Online Services is ranked #2 of registrars having the most blacklisted name servers: 1426 listed domains, with 93% still active, indicating it is slow to remove spam offenders.
posted by terranova at 9:18 AM on November 22, 2008

this is fucked up. you should warn us before we go to it that is possibly trojany. now i, as i assume others in this thread, have to run spycheckers again.
posted by yonation at 10:56 AM on November 22, 2008 [1 favorite]

Yeah, I'm a stupid curious monkey and had to try the URL before reading the entire question. Maybe the mods could remove the url from the post title, or place some kind of warning next to it or something? Off to run a malware scan.
posted by peggynature at 11:33 AM on November 22, 2008

I had the same thing happen to me, with "bubbleserver.com" instead of "hmmmbook.com".
posted by Lucinda at 2:19 PM on November 22, 2008

Best answer: Second hit for "hmmmbook" on google explains it's a scam. (first hit is now this thread.)
posted by oneirodynia at 2:57 PM on November 22, 2008 [2 favorites]

Response by poster: To those complaining about clicking the link... I asked directly in the question what kind of trojan this might be. Read the whole question before you click on links.
posted by keribear at 5:13 PM on November 22, 2008 [1 favorite]

Most of the point here seems to be a pretty illegal looking phishing scam. When you leave the site, it asks you "where you came from?" for their own "survey", and then takes you "back" to the login page for Facebook or YouTube or whatever.... but of course those are not the real login pages for those sites: it's just trying to make you enter your user and password.
posted by rokusan at 6:07 PM on November 22, 2008

I clicked the link and looked around, no problem. Then again: Mac OSX makes it a lot safer. I wouldn't go NEAR that link with Windows + Explorer!
posted by rokusan at 6:08 PM on November 22, 2008 [1 favorite]

I got it at uni - figured it might have been a scam of some sort, but wasn't sure. Thanks for asking!
posted by divabat at 8:44 PM on November 22, 2008

I wanted to follow up with, after running a scan, I didn't find anything out of the ordinary on my computer (just the usual tracking cookies that could've come from other places.) I'm curious if anyone else ended up with something nastier, perhaps using a different browser (I'm on Firefox) or scanner?

Sage advice, keribear. Sadly, I'm of the oregano persuasion.
posted by peggynature at 6:50 AM on November 23, 2008

With Opera and OS X, it's pretty safe. Disabled Java, JS, plugins and cookies.

My conclusion: This is actually a test intended to weed out those people who have failed the itnernet.

Honest to god, any person who answers a single question honestly has failed life. The site literally could not look scammier.
posted by five fresh fish at 9:31 AM on November 23, 2008

This seems to be an MSN hijack too. I just got messaged with it via a friend, and I hope this'll give me some info on how to help her.
posted by Phalene at 9:52 AM on November 24, 2008

« Older Laser hair removal in Philadelphia   |   Buying a car in the current recession: need advice Newer »
This thread is closed to new comments.