Today, we have come across yet another rapidly spreading Facebook scam. The ultimate aim of this scam is to coerce Facebook users into completing various surveys which in turn generate money for the scammer. The messages arrive with embedded Flash video and different messages such as “WTF!! You look so stupid in this video” or “yo, why are you on this video” etc. Below is a screenshot of such messages:
The post displays fake meta data showing the number of “Views”, “Likes”, etc. to make the posts appear more genuine. When a user clicks on the video link, the Flash file loads in the background. Once the loaded, it prompts the user to play a fake video. When the user clicks again to play the video, it looks like,
The above message displays instructions with keyboard shortcuts that cause the victim to paste clipboard information in the address bar. The flash file itself sets the clipboard data with malicious JavaScript which further spreads the attack. Here is what the malicious JavaScript looks like:
Let’s format this for better readability. Here is a formatted version:
If user runs this malicious JavaScript in the address bar, the script will randomly load one of two JavaScript files from different domains. The “config.js” is actually used to further spread this scam using different descriptions of the video. This JavaScript file not only posts the same flash video message to user’s wall, but also their friends walls. Here is partial screenshot of “config.js” file:
The above code contains all the configuration settings for spreading this message with different text messages and different domains. The “config.js” file also contains the code for posting the message to wall of every Facebook friend.
Here is what the source of “verify.js” looks like:
The above file references yet another JavaScript file. This referenced file is used to keep track of real time stats. The user is further prompted with message box asking “Please verify your identity” by taking surveys as shown below:
It will keep checking for the survey to be completed even if you click “Complete” button without taking the survey. This is yet another scam run by attackers to earn some money by encouraging Facebook users to complete surveys that pay for completion. This is not the first time we have seen such a scam spreading on Facebook. Attackers are doing an excellent job by taking advantages of both social engineering and social networking.Believe me - I don’t look stupid in that video!
Umesh
