Last week there was an outbreak on Facebook of video spam related to Osama bin Laden’s death. The previous spam was basically variations of this:
If a curious user clicked on the link in the spam, it would eventually bring them to a page which basically makes the user manually send out spam to his own FB contacts, under the guise of a ‘security check’ to view the video:
The user essentially does a copy-paste execute of the script:
That code messages the user’s first degree friends (with spam).
So we were analyzing the previous run of video spam on our test machine and today, woke up to find our FB Inboxes with tons of new spam, which has been revised so that we don’t even need to copy-paste the script any more. How convenient.
The spam we received looked like this:
Then, we’d be expected to clicked the ==VERIFY MY ACCOUNT== at the bottom (note: we do not recommend this).
Then we saw this at the bottom of our browser:
The code would post the same message on our FB account’s Wall as the message the previous spam run sent out to the first degree contacts.
Next, a pop up box appeared:
And then redirects to this page:
It is not really clear as to what the aim of the author is, there does not seem to be any obvious monetary gain. But it is definitely an upgrade on the previous spam run.
On a sidenote – posted “via iPhone”? Not really. Assigning the 6628568379 to the app_id parameter apparently makes Facebook recognize that the posting is from an iPhone:
For example, visiting http://www.facebook.com/apps/application.php?id=6628568379 would lead to http://www.facebook.com/iphone.
Threat Insight post by Shantini and Rauf
Leave a reply