NEWS FROM THE LAB - Thursday, May 12, 2011

Facebook Video Spam Revamped Posted by ThreatInsight @ 11:11 GMT

Last week there was an outbreak on Facebook of video spam related to Osama bin Laden's death. The previous spam was basically variations of this:

Facebook spam

If a curious user clicked on the link in the spam, it would eventually bring them to a page which basically makes the user manually send out spam to his own Facebook contacts, under the guise of a "security check" to view the video:

fake security check

The user essentially does a copy and paste execute of the script:

Facebook spam code

That code messages the user's first-degree friends (with spam).

So we were analyzing the previous run of video spam on our test machine and today, woke up to find our Facebook Inboxes with tons of new spam, which has been revised so that we don't even need to copy and paste the script any more. How convenient.

The spam we received looked like this:

Friend spam

Then, we'd be expected to clicked the ==VERIFY MY ACCOUNT== at the bottom (note: we do not recommend this).

Then we saw this at the bottom of our browser:

Facebook spam code latest

The code would post the same message on our Facebook account's Wall as the message the previous spam run sent out to the first-degree contacts.

Next, a pop up box appeared:

verification fail notice

And then redirects to this page:


It is not really clear as to what the aim of the author is, there does not seem to be any obvious monetary gain. But it is definitely an upgrade on the previous spam run.

On a side note — posted "via iPhone"? No, not really. Assigning the 6628568379 to the app_id parameter apparently makes Facebook recognize that the posting is from an iPhone:

Facebook spam code

For example, visiting http://www.facebook.com/apps/application.php?id=6628568379 would lead to http://www.facebook.com/iphone.

Threat Insight post by — Shantini and Rauf