The Latest in IT Security

Dissecting Fake Youtube Plugin which scams Facebook users



We have been coming across many facebook scams. This sample which is taken from one of such scams has an interesting feature in it. It checks for the location of affected victim, and based on the country where the victim is located, additional scripts are injected. The victim is redirected to many other sites that uses Facebook API, post scam on Victim’s friends’ pages and additional malicious files could be downloaded to the user machine.

Infection Vector

The user is tricked to click scam page attached on his friend ‘s page or in public posts page of Facebook. The scams hold luring pictures and words like “Hey See This Now ” etc. Once the user clicks this link, he will be redirected to a link where he is asked to download a plugin to watch the video. This link checks whether the user is using Chrome or Firefox and then installs the malicious plugin as the missing plugin to watch the video.

 File with extension *.xpi is a plugin for Firefox whereas file with *.crx extension is Chrome plugin.

Victim attacked using Chrome Browser


Fig 1 – Plugin required notification with Installation button

Fig 2 -Once user clicks “Install Plugin”

Fig 3: Plugin added to Chrome Browser

Victim attacked using Firefox browser


Fig 4: Scam requesting the victim to install malicious plugin

Fig 5: Plugin added to Firefox Browser

We see the spelling different (“Dvix”) from the earlier Youtube DIVX plugins (plugin for Google chrome).

JavaScript  Redirectors working silently in background.

The continuous redirection  which the victim would face are due to few javascript redirector files, which work silently in the background. They are shown below.


Script.js has function addscript() which redirects to another site “*****.info/new/extra.js” to download extra.js.


Extra.js further redirects to and downloads 3 new javascript  files (fuction.js, fuction1.js, love.js) which are the most interesting ones .

We can see below the new javascript files which Extra.js would download to victim’s machine on redirections.

Extra.js also has code to inject an iframe with source hardcoded as

We can see that the link is repeatedly called to spam users.

Function.js – has the luring message which appears on Victims ‘ wall

Function.js has code to redirect the user to several other pages. It has code about the message that is used on the malicious link that promises the user about the video. It has the Ajax command to post on the user ‘s wall.


This *.js file holds the most interesting feature where function ” geoip_country_code()” is used to get the user s location by getting the country code . A total of 11 countries are checked.

If the return value of the function is any of the 11 country code, then the following code gets injected. This code is similar to SMS trojans which come bundled along with Android applications.

Love.js checking whether the victim is located in Pakistan

This JS file loads a script from the following url (geoip.js), which retrieves the location of the victim and check if the victim is from Pakistan (PK). If so, do another script injection for redirection.

Values  retrieved by geoio.js

 geoio.js retrieves the value of current location (country name, city, region, latitude , longitude, etc..)of the user.

Using the information gathered using geoio.js, the victim encounters a message box where he is announced as the winner from his locality for the day.

Inspecting DOM, gives the information on the message that needs to be brought up on browser before exiting the browser.

The redirection happens for victim to several pages and finally lands up on a page stating some survey or Prize Winning notification.


Fake Game page that appears at the end of redirections.


Cleaning up the victim s browsers and Facebook wall

Victim needs to uninstall the browser extension that is spamming your Facebook contacts. In Firefox, go to Tools and select Add-ons. Select Extensions and locate the offending extension and click the Disable button and restart the browser.

In Google Chrome, click the wrench icon, click Tools and select Extensions, and again locate the offending Extension and remove it.

On Facebook wall, go to the icon at the top right hand corner of each post and select Delete Post from the drop down menu. Facebook comes to know about it, and they would block the same from their end.

Our Advice to Customers

As we are aware of the increasing popularity of Facebook across the globe and its number of users, malware authors are also coming up with new scams everyday. They get heavily paid because of this fact. Facebook is also in a continous effort to secure its users. We would advice users not to click on any link on Facebook which promises of free gifts or Celebrity Scandal video links etc. Kindly do a browsing about the link before clicking and report it as a spam if you find it yourself on or any of your friends wall.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments