We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.
The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.
The scammers want to ensure sure that the users are not strained by the simple step by step instructions. That’s why, if you scroll down the page, they have actually created videos on YouTube that explain exactly how to copy and paste the Javascript code. For once, this video plays without fake surveys or hidden click-jacking attacks, but of course these tricks could be used as well.
Once the user follows the steps, he or she is redirected to the usual survey advertisement site before anything is revealed. These results, of course, will not be the real list of people that visited your profile, since this function does not exist in Facebook.
Under the hood, the previously executed Javascript code misuses the logged-in user session to enumerate the friends list and start its shenanigans. Depending on the configurations of the attacker, the script will post a new bait message to the user’s wall, send chat messages to friends, tag you in post messages or images, or even create an event and send an invitation to all your friends. Of course as always the attack is easy configurable through a toolkit. Since the script runs in the context of Facebook and uses your open session it can do a lot with your profile, it can do nearly everything you could do yourself.
The above described attacks are not new. We actually wrote about event spam and other attacks in our whitepaper on the risks of social networking last September.
But since they work and are harder to filter for Facebook, they might become more prevalent.
Of course, this is not a Facebook-specific problem; we have seen similar issues in other social networks. Their respective security teams are working hard to remove those attacks. Still, you should always be vigilant and sceptical when exploring social networks. Even messages from friends may lead to malicious content. If you are asked to install an application or copy and paste a script for no clear reason, then you’d better ignore it, since it is most likely a trap.
Note: We know that Facebook engineers have been working diligently on the self cross-site scripting problem. Not only have enforcement mechanisms been pursued to shutdown the malicious pages and fake accounts, but Facebook has also been putting affected users through educational checkpoints to help curb the spread of the attacks.