We recently reported on a scam that targeted Facebook users that turned users who are curious about their stalkers into unwilling spammers. Now, we are seeing newly created domains related to yet another scam targeting Facebook users that utilize social engineering lures already seen in the past.
The said domains were seen linked with certain Facebook posts bearing messages such as “This Guy Took A Picture Of His Face Every Day For 8 Years.”
The domains created were similar in that they all bore words like daddy, busted, guy, face, pic, miley, and bieber.
Once a user clicks a link to the said domains in a Facebook post, he/she will be redirected to a YouTube-like Web page, a technique typically utilized by the infamous KOOBFACE gang. The page, however, contains nothing more than an image that resembles a page from the video-sharing site.
If the user clicks anywhere within the page, this opens a prompt asking him/her to answer a certain survey, placed supposedly to confirm his/her age.
However, what really happens is that a malicious script detected as PHP_FBJACK.A accesses the user’s Facebook account and posts a link to the same malicious page along with a message similar to the ones listed above.
Facebook was named the most dangerous social networking site in 2010 and it still is, considering the numerous attacks that target its users every day. Thus, it is important for Facebook users to be extremely cautious when navigating through the network, especially when clicking links shared by even “trusted” contacts.
The Trend Micro™ Smart Protection Network™ already protects Trend Micro product users from this attack as related URLs and scripts are now blocked and detected, respectively.
Update as of March 15, 2010 12:45 Pacific Time
We’ve recently seen attacks similar to this one that target specific user groups. Italian users, specifically, were the targets for one attack we saw, where posts bear the subject “Girl strips in public after losing a Bet, Must See video” in Italian.
The posts lead to the same YouTube-looking page and lead to the same post getting published on the affected user’s profile. The script involved in this attack is now detected as JS_FBJACK.A.