OFFICIAL SECURITY BLOG

Application Spams “My Top Followers” Posts To Tumblr Users

February 17, 2014 | BY

Way back in June 2013 a website was asking users of Tumblr to add a “HTML widget” (or, more likely, to  install an application), though at the time of viewing the app had already been taken offline so it wasn’t possible to tell either way.

All of a sudden, the site has returned, causing a commotion in Tumblr land due to the large amounts of posts popping up which direct end-users to survey-style landing page offers should an install take place.

Here’s a typical spam post made by the app on a blog:

See your followers...

It reads as follows:

“New Tumblr application allows you to see who is viewing your blog in 3 easy steps

1. Add the application
2. Wait while we find your viewers
3. See who has looked at your blog!”

Tumblr users are invited to click on a Bit.ly link, which directs them to

viewr(dot)pw/signup/

Whereas last time this site was on the radar the app (or “HTML widget”, as they called it) had already been pulled, this time around users will be invited to log into Tumblr and install an app on their profile.

Tumblr app

If installed, the app will make a post on the related blog and the person doing the installing will see this:

Survey offers

This entire chain of events is designed to have users end up on a so-called “survey page”,  where affiliate cash is generated for every survey filled in. However, the 3 options displayed above are ringtone style sign-ups where a mobile number is handed over and a regularly billed subscription service is entered into.

How do I uninstall a Tumblr application?

Easy. Click the Cog icon in your dashboard, then click on the highlighted Apps option in the screenshot below:

App removal

From there, simply scroll to the unwanted app then hit the “x”.

Almost there...

How much traffic is this getting?

We can take a look at the Bit.ly stats for this one and form a reasonable idea of what has been taking place.

Total Clicks: 2,982 clicks on the Bit.ly link

1,951 from Tumblr and 1,006 from other sources

1,734 clicks were from the Tumblr dashboard – these will be Tumblr users who have seen the posts appear in their timeline via users they follow.

994 clicks were from “email, IM and apps”.

For anyone brave enough to go wading through Tumblr’s search tags, you can currently find an awful lot of posts about this. Here’s a random selection of warnings, confused utterances and “Oh no what have I installed”: [1], [2], [3], [4], [5], [6], [7], [8]

Profile viewer scams have been around for years – yes, they were around in the heyday of Myspace – and they’ve never gone away, migrating from one social network to the next.

Always think twice when being asked to install apps you’re not familiar with, and most definitely think for a third time before signing up to anything promising to reveal who looks at your social network profile. There’s a very good chance you’ll just end up spamming your followers and winding up on a lot of blocklists…

Christopher Boyd