As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.

As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.

[Video] - This is what Happend to his Ex Girl Friend!

vidoea[REMOVED].blogspot.com

Play Video! She was Hurting for days, and could not walk!

Once the goo.gl link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of potential victims deceived by this scam.

The first page is just a redirector page that sets up some Meta tags for Facebook and then uses a small JavaScript with a top.location.href redirect to another domain. This page then displays the familiar “user age verification” trick and asks the user to click twice on the “Jaa” button. The “Jaa” button is the Finnish version of the “Share” button. The page simply sets the local language for the Facebook window to Finnish by using the following locale parameter:

/sharer.php?locale=fi_FI

This trick would work better in German speaking countries, since “Ja” means “Yes” in German and would therefore make more sense. It is surprising that this particular scam has not been seen with German text yet. Having said that, the English text of the scam is not very fluent, so that might explain why the authors have not explored the possibility of spreading the scam through the German language yet.

Usually this is where the “click-jacking” takes place and where an invisible frame overlaps the “Play” button. The intention of this trick is to cause users to unknowingly click the “Share” button and spread the scam further. In this particular version, however, there was no click-jacking involved. When the “Play” button is clicked, a normal window is generated where the user has to click a button to share the link. Therefore, one click in this instance is enough without needing to “click-jack”.

Thus far there has been nothing special or new with this scam. However, when analysing the JavaScript code on the backend I noticed the following:

/*

OoPs! g00d luck.n00B. xD

*/

function Blowfish(k){...



Initially, I thought that this was just a poor implementation of some cryptography. On closer inspection, however, the S-boxes and the multiple rounds made me realize that this actually is strong cryptography. A few minutes later I realized that the authors of the scam are using the public code from an HTML encrypter on Google code to first encrypt the payload with AES 256 and then with Blowfish. For the second loop they even link to the online JavaScript file in the SVN repository directly:

[http://]html-encrypter.googlecode.com/svn/trunk/hea2[REMOVED]

This may make the obfuscated script pass through some network security tools that look for signatures, but since the client needs to be able to decrypt, it is not hard for an analyst or an advanced browser protection solution to cut through it.

The rest of the scam is straight forward. After the link is shared by the user, they get redirected to a survey page before a slightly related video is shown. The user is then presented with offers for premium mobile subscription services for 8 Euro per week.

Symantec would like to encourage Facebook users to report any scams that they encounter to Facebook. The Facebook security team is currently working on this particular scam and they are blocking and removing the threat as new versions appear.