An old variant of Facebook survey scam spreads viral with new post title "Miley cyrus seex tape leadked today on facebook" and offending thumbnail. Below seen is a sample wall post of that scam but lot out there with different blogspot links so be careful before you click on any blogspot links in Facebook.
Following the link in the wall post will lead to a page like seen below where it will tell you that you don't have the required plugin to watch the video and asks you to install a plugin named as "Youtube Premium" to watch the video. We have already seen many survey scam like these and we have already warned user to never, ever agree to install a plugin unless you have good reason to trust the source. Here its a malicious plugin attaches to your browser and spreads the scam message using your FB account and also brings in survey scam to fill.
Below seen is the survey scam the plugin brought to my test machine a typical FB survey scam in the name of age verification it asks users to fill survey so that spammers earn money. Since its a scam you will not see the video, irrespective of how many survey you complete.
Removal Instructions:
To get rid of this scam and the wall post go to settings -> extensions -> Remove in your Google Chrome browser.
Firefox users goto Tools -> Add-ons -> Remove
Technical Specifications:
Once the install plugin is clicked it contacts the site plugincodescript.blogspot.it and checks for the user browser whether it is Chrome or Firefox or Others depending upon that it pushes the plugin.
After the malicious plugin is installed it runs the script viralscripts.it/divx2/script.js whenever user open the browser. Script.js in turn calls viralscripts.it/divx2/extra.js.
The script extra.js contacts viralscripts.it/divx2/watch.php to identify user location and viralscripts.it/divx2/function.js to steal user cookies, generate random user comments and blogspot links.
Below you can see the script used to generate random blogspot links and appends it to the scam message depending upon user location.
Here you can see it generates random user comments and post the same in the infected user wall.
Below is the list of domains participated in spreading this scam,
hxxp://ectisouginesdv.blogspot.fr
hxxp://ubpativeinflav.blogspot.it/
hxxp://fundseqboonths.blogspot.com
hxxp://plugincodescript.blogspot.it
hxxp://backedsbconfin.blogspot.jp
hxxp://citravtwor.blogspot.ca
hxxp://cialibervert.blogspot.ca
hxxp://cialibervert.blogspot.in
hxxp://cialibervert.blogspot.co.nz
hxxp://cialibervert.blogspot.com.es
hxxp://cialibervert.blogspot.com
hxxp://cialibervert.blogspot.co.uk
hxxp://cialibervert.blogspot.de
hxxp://cialibervert.blogspot.com.ar
hxxp://redirectingtocipa.blogspot.com
hxxp://viralscripts.it/divx2/watch.php
hxxp://viralscripts.it/divx2/youtube.crx
hxxp://viralscripts.it/divx2/youtube.xpi
No comments:
Post a Comment