Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We have seen several kinds of Facebook spam runs in the past, all of which used different features of the social networking site to spread. We have seen wall posts, events, and chat messages send out links that lead to malicious scripts.

    This time, we saw a spam run that uses not only one but all of the above-mentioned Facebook features.

    In this attack, the users receive a spam that asks them to click a URL if they want to see how they will look in 20 years. They then land on a site that asks them to follow certain steps, the first of which is to copy a particular snippet of code onto their browser address bars.

    Click for larger view

    The users are then asked to log in to their Facebook accounts, which triggers the following:

    • The script creates a Facebook wall post, for which all of the users’ online contacts at the moment of execution will be tagged. The said wall post contains the same URL that the users clicked and the message, “yeah mine is very funny!! check yours out : )).” The affected users will then automatically “like” the post with a comment saying, “oomg I look funny as hell haha.”
      Click for larger view
    • The affected users’ contacts will receive the spammed messages that contain the same URL they clicked through Facebook’s chat feature.
      Click for larger view
    • The script also creates a Facebook event entitled, “See your face in 20 years,” along with the message, “Hey yo guys, I found a cool site that tells you how you will look like in 20 years old,” and the same URL the affected users clicked.
      Click for larger view

    Analysis of the script that triggered the above-mentioned routines revealed that it is also capable of spreading the malicious link through Facebook Notes feature. It creates a note that leads to the URL then tags the affected users’ friends to entice them into clicking the same URL.

    We were not able to replicate the said technique but we were able to see a similar run using the familiar “stalking” pitch in the figure below.

    Click for larger view

    The link in the spam run used Google’s URL shortening service. It has already been blocked by Google. Trend Micro product users need not worry as well, as it is already detected as JS_MALAGENT.PB and blocked. For more information on social networking threats, check out the report, Spam, Scams, and Other Social Media Threats.

    Update as of May 8, 2011 7:50 PM, Pacific Time

    After debugging the script, I observed that apart from the wall post and messages received via Facebook‘s chat feature, the malicious script also triggers the following:

    • Unknowingly “liking” fan pages such as “Chavs, la segunda llegada de Jesus” and “I like turtles.” On the script, we can see the Fan Page IDs 121152571296756 and 206943176013105 resolve to the image below.


    • It triggers the user to unknowingly visit a Facebook application and possibly “like” it. The “Go to App” button points to the URL, htp://{BLOCKED}, that leads to a web page containing instructions of the copy-paste code to the URL address bar. The application it visits varies from time to time.
      Click for larger view
    • Possible liking of a photo as seen on the script where there’s a variable name photoID with value of 1852471804837. The photos also vary depending on the photoID.
      Click for larger view

    After the spamming routines, users are redirected to the final landing page, http://{domain_name}.info/final.php . Once users clicked on the “continue” button, it leads them to an instruction page with a YouTube video. The cybercriminals behind this attack are gaining high SEO page ranking through advertising gateway sites such as {BLOCKED} and {BLOCKED}


    Click for larger view 

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice