Today, many Italian users found on their Facebook profiles some links similar to the one depicted below. For non-Italian speakers, the text can be translated as "Facebook security check. To see the video, follow these steps".

When the "Continue" button is pressed, the following form is displayed:

What happens under the hood is quite simple, and similar to other Facebook malware. The link posted on the victim's Facebook profile refers to a malicious SWF file (hxxp://www.cowboysaliensstreaming.com/tag/test.swf) which displays the two dialogs depicted above. Once executed, the applet also fills the clipboard with the text:

Then, the SWF asks the user to click on the address bar, press 'j' and then CTRL+V. The result is that the following text is copied in the address bar:

As a consequence, a piece of Javascript code is executed that can interact with the Facebook DOM document. The Javascript code fragment creates a new HTML <script> element which loads the resource stored at hxxp://www.cowboysaliensstreaming.com/tag/fb.php. The malicious resource spreads the malware to the Facebook friends of the victim, and eventually displays some spam links:

For those who are interested, a copy of the malicious Javascript code can be found here.

So nothing is really new with this sample: the same techniques have already been used several times in the past. What is astonishing is the number of victims: despite Internet users should be now familiar with these trivial threats, there have been more and more (mostly Italian) Facebook users who carefully followed the instructions of the malware, without even thinking about why they should ever copy a strange string in the address bar to see a YouTube video.

Leave a reply