Research Scientist I
I joined McAfee labs in Jan 2012. I am part of Mcafee - Facebook team and customer escalation team.
Be advised cybercriminals are at it again, leveraging the popularity of Facebook and YouTube to scam consumers.We have seen several scams in the past spreading through Facebook promising of some leaked video of celebrities, or free Facebook T-shirts etc. The malware authors are making money by pay-per-click with these techniques. Users are tricked into clicking some links which appear in their friend’s wall. Once clicked Malware authors trick users by zeroing the opacity of malicious script which are loaded and injected in the backend without the user’s concern.All the victim sees is multiple redirections and a survey page which is brought at the end. In the meantime, the injected script steals the Facebook user cookies and post on Victim’s wall without his or her knowledge.
We have also seen some of these scams requesting for fake YouTube and Flash Player plugins to be downloaded and installed after checking for the browser running in victim s machine. This was done with the help of following script running in back.
This scam was seen circulating from last week of December2012 which looks to a video shared.
Scripts are run in the backend to load the Fake YouTube Logo into the Fake YouTube page:
Fake YouTube Logo is loaded from the above link
Few calculations are done before bringing up above Fake YouTube page.
The number highlighted which is asked to be entered in the “Type code here” area keeps changing at regular interval of time with the help of random operation performed in the back.
Changing the opacity marked above, reveals us a space where comment is asked to be entered.
By the time , I changed the opacity and entered a comment, the Security Verification Number got changed. The Security Verification Number is generated random with the help of script below.
A few operations are performed before bringing the wordings which promises of the video that appeared on Victim’s wall.
Some of the very common words seen in these type of scams are:
Another script http://j.maxmind.com/app/geoip.js is injected to learn the victim’s location.
Finally it brings up a page which says the victim s account is being verified. But the video is not still being played.
Viewing the source of the web page gives us more information, about the scripts, iframes injected and the “Complete the Simple Step Below to Continue ….!” which appears on top of the window.
We could see a YouTube link. When investigated, it asks for a missing plugin to be installed to view the video.
When the missing plugin is installed, Victim could see some porn and prank videos.
Facebook is also continuously monitoring malwares and scams spreading across its users. Users can report suspicious post as Scam back to Facebook and they can block the scam from spreading from their end. This can be done by clicking the top-right button which appears on every post ”Report Story or Scam.”
The user is then taken to a page where they can finally report back to Facebook.
This way the user ensures scam from not spreading among his or her contacts.
Our advice to users is to pay extra caution when they see links which points to a video. Else you could be actually spreading the infection among your friends network. Also these scams come back with different images, different redirection URLs and luring words. We also saw an old scam which promises Pink Facebook page coming back this month. In case you think you are being infected, please check your wall or ask your friend to check if any of these scams is sticking. Sometimes the infected user will not be able to see the scam attached to his wall.
No matter how many offers or surveys they complete, or what services they subscribe to, victims will never receive the promised video, gift or profile.