Posted by & filed under article.

It seems like the user is more willing to click on a link presented on Facebook by “trusted” friends and acquaintances. The tolerance bar is lowered and the level of acceptance for approving and checking out user posted links, seems extremely low. It still baffles me the way some links screams out; “See what this collage student did this summer break”, where it also screams out; “Do not click this, probably a scam”. Although not all people see these warning signs and live in good faith that a friend wont post anything that might harm or abuse your account. I have already mentioned how linked titles may drag people towards clicking them. Further I would like to introduce a second way of deception and make you aware of such challenges you may face when browsing the friends feed.

Back in October I faced a bogus friend request on Facebook. At first it was ignored as the user account had just been created and I did not know this person. Later that month I did recall from one of my classes that certain people with evil intentions would use Facebook to gain personal access. At that point I assumed the unknown Facebook person was a classmate that would like to have fun and prank fellow students. At the end of the month the unknown account had added my school as a network and soon we had 32 friends in common.

In order to figure out who this person was, I would first require their IP address to determine where it was located. At first I made a simple PHP script that extracts location and browser information. I gathered all information segments from $_SERVER. If your interested in what information it contains, just use print_r($_SERVER) to list every thing.

I now had a way of acquire the information that’s easy to extract. However I would need to get the user to access this unique link and I needed an approach that would make it irresistible for the user to access the link. Then I got the idea! Why not use an image? When you add a link to Facebook or include it in a message, Facebook will automatically bring a thumbnail of the image inside with the message. I engineered the file image.php that will output the image itself and extract the location and browser information and serve this information to my mail inbox. Now just linking the full link of my website and image.php might throw the unknown user off and result in a failed attempt, I had to make it more reliable.

Creating a .htaccess document was the solution. By enable the rewrite engine on my server directory I could make fake.jpg point at the file image.php. This will mean that when someone accesses the fake.jpg they will see an image and they will see the file extension .jpg although what the server is presenting is image.php. At this point I am good to go, however I would like to give the user a feedback of, “lol I got you”. To acquire this I decided to figure out what happened when Facebook generates the thumbnail. I quickly learned that by looking for “facebookexternalhit” in the variable $_SERVER[“HTTP_USER_AGENT”] I could know that this is Facebook servers accessing my image. Therefor I decided to present the deceptive image as a thumbnail and when the user actually accesses the image I would present a new image of a troll.

The logic for this is created as follow:

header('Content-Type: image/jpeg');
if(preg_match("/facebookexternalhit/i", $_SERVER["HTTP_USER_AGENT"], $matches)) {
} else {


Finally its time to create the message to go with the image. The final message was saying: “Hey, Is this you from my town?” and the linked image. A screen shot from the original post is seen below.


After the user clicks the link, it will present the following image:


Feel free to check out the final result for yourself with this link: Disclaimer: I have removed the data extraction of browser information and emailing.

As you might have observed on the image of the Facebook message, the message was viewed one day later. Not surprisingly the user clicked the link where I achieved the IP address and browser information. After checking the IP address with I could determine that this actually was a user from New York. The browser information slightly confirmed that the the browser used was configured to en-US language and that this probably is a deep cover for identity lurking or some one exploring for the sake of fun.

Leave a Reply

  • (will not be published)