Recently, lots of Facebook users have been deluded into clicking on “Activate Dislike Button”.
Taking advantage of users’ desire for Facebook’s Dislike button, several spam messages about the activation of the Dislike button have appeared to take control of users’ Facebook accounts for spreading spam messages.
Spam message about “Activate Dislike Button”
If users click on “Activate Dislike Button”, their browsers will be redirected to http://lnktrn.ch/dislike, a fake Facebook’s page where users are requested to copy a code before executing it on their browsers to enable the “Dislike” button.
Immitating Facebook’s instruction
The code is in fact an encrypted Javascript one. Upon analysis, we found out that the code is tasked with sending spam messages to friends on the victim’s Facebook accounts. The messages say: “Facebook just <keyword> dislike button! Click <onword> ‘Activate Dislike Button’ below to enable it on your <apterm> !”. There, <keyword> is arbitrarily selected among the following: “added the”, “launched”, “released the”; <onword> may be either “on” or “On”; while <apterm> is a random word from “profile” and “account”.
The code to spread spam
Once the code is activated, the users’ Facebook accounts will be used to propagate similar spam messages.
Massive spam messages are sent from the victims’ accounts
Then users will be required to verify their accounts, another fake request, to enable the Dislike button.
Request to verify fake account
Once “Continue” button is clicked, users’ browsers will be redirected to http://lnktrn.ch/dislike/dislikebutton.php, a page that looks like an account verification page of Facebook. After analyzing the page, we saw that it executes a flash code. However, due to certain errors, the flash could not display its content. The flash may serve as a notice to trick users into entering their username and password to log into their Facebook accounts.
The content of http://lnktrn.ch/dislike/dislikebutton.php
Up till now, there haven’t been any signs that malware is spread through these spam messages. However, technically, this can totally be done with the use of the above mentioned Javascript code. Our HoneyPot system still keeps watching this fraud case.
To ensure the security of your account, you are advised to be cautious with similar messages, and only expect new function notices from Facebook’s official website.
Tran Minh Quang
Malware Researcher
Leave a reply
