Get Christmas Theme for FB on --->> LINK 2 FB PAGE <<---Free Christmas Theme for all FB users !! Just install this amazing new fb Christmas new look and change your profile looks show it to your friends too............................................................................................. —

Recently people are aware of many Facebook SCAM and they avoid clicking on Scam messages containing offensive Pics. This made the scammers to trick users with new methods like one shown below. Here they didn’t use any pics to trap users. Instead they target this Christmas weekend saying “Get All new Santa Claus theme for Christmas” with a link to a FB page.

If you click on the link it takes you to a FB page like seen below. Where it asks you to click on the tiny url to proceed further to claim your Free Christmas Theme. Fact is even if you don't click on the link it will redirect you to the next page if you wait for few seconds.

The tiny url is nothing but a link to http://babylucy.info/theme.php

Once you reach the webpage http://babylucy.info/theme.php it will ask you to follow few steps to complete the installation process. The first step is to install a plugin to upload the “FREE Christmas Theme”. Based on this prompt I confirm this has new variant of the old Facebook scam. In my previous post we saw similar plugin installation. Do you remember? If not just check it out.

Let us inspect the "theme.php" from the above link babylucy.info/theme.php. It contains an encoded Java script to make it difficult to understand. Please check below,

The decoded theme.php contains Java script to track number of users selected the “like” button and contains an counter displaying Installs remaining. This counter is used to tempt you saying only few installations are remaining.

Also, it contains an Iframe link to the remote site "http://babylucy.info/plugin.php" to choose the plugin. About this plugin we will discuss later in this post.

Now let’s see the other steps which it asked you to follow in the webpage http://babylucy.info/theme.php

Here “Install Now” button below the final step only pops up a new window opening “www.facebook.com' not any Christmas theme like you expected. So these steps are just to fool you.

Let’s see the plugin part "babylucy.info/plugin.php" - contains script to install the desired plugin for your browser. Only chrome and Firefox users are targeted. By default it downloads the chrome plugin "http://informativenews.in/youtube.crx". If you are firefox user it downloads from "http://informativenews.in/profile/firefox.xpi"

If you’re Chrome user you will be prompted with the below message like it said in step 2,

When you select 'Install' it will be installed and in right corner of your Chrome browser you can see the below message,

Actually the thing you have installed is not Christmas theme it is browser plugin which once installed can monitor your browsing activity. Once you have installed this plugin it contacts the remote site http://babylucy.info/g.js whenever you open up your browser and it will check for the script w.js in the remote site babylucy.info.

This w.js checks whether you have logged into your Facebook account by reading cookies. If so, it starts looking for your friends list and notes down their user id (Facebook ID). Once user ids are collected it does a calculation and starts posting the Spam messages based on the number of friends you have. The @[315272001828192:0] seen in the script is nothing but the id(link) to the FAKE FB page "Get All new Santa Claus theme for christmas".It also has scripts 'COUPONCI.info/test/script.js & COUPONCI.INFO/test/extra.js' referring to the older scam so be cautious with new Timeline introduced in Facebook it will look awkward once multiple spam post are posted on your WALL.

Using FB search tab I searched for similar FAKE pages containing these malicious links. Till now I found 2 pages and around 3000+ users infected. I fear in future it can increase so please be careful and share this information with your friends before they click on these spam links.

If you have installed these extensions/plugins I request you to uninstall it immediately since it has the malicious code to post spam messages through your Facebook account. Below is the removal instructions to remove the installed malicious plugin.

If you're Firefox user go to Tools->Add-ons->Extension->Uninstall

If you’re Chrome user go to Tools->Extensions->Remove

The POST in your wall has to be manually removed by selecting the 'X' mark in the top right corner of that spam post. Always install Add-ons/Extensions from known sources.

Now lets see who is benefited by these Scam messages and plugins installed? The site to which you were redirected contains an iframe link to the site http://babylucy.info/profile.php

When you click on LIKE button, the 'profile.php' will be contacted. So that it can pop up the below window saying "Age Verification" and asking you to complete 2 surveys for security check.

The scammers earn commission for every survey that is completed. Their work is to drive traffic to the online surveys and make people enter their personal details. Then these details are used by marketing companies. The affiliate marketing company here is cpalead.com please check the below java script.

Other similar url hosting this infection is http://latestnewsforall.co.cc/