Wednesday, November 16, 2011

Vulnerability in a Browser(s) and Users Tricked to Copy-Paste a JavaScipt May Explain The Facebook Wave of Pornographic and Violent Spam.

Article first published as "Browser Vulnerability, Tricked Users May Explain Disturbing Facebook Spam" on Technorati.
By Cesar Ortiz
Facebook claims to have found an explanation of the current wave of spam attacks, including explicit hardcore porn images, videos, photo shop created photos of celebrities like Justin Bieber in sexual situations, pictures of extreme violence and even photographs of animal cruelty. These are among many gross pictures being propagated. Users tend to see the images posted on a friend’s account, visible to everyone but the friend in question. Facebook’s latest statement says the root of the attack is a malicious JavaScript that some users were tricked into copy and then paste to their browser URL address bar. Facebook released this statement:

 Beginning of quote

“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.

During this spam attack users were tricked into pasting and executing malicious java script in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

End of quote

Hackers are tricking users to manually do a copy-paste. This cross-site scripting mainly allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with. Facebook says that users were being tricked to copy and paste the offending JavaScript into their address location bar in the affected web browser, but does not identify the specific browser.

The modus operandi of the hackers is to entice you to do a copy- paste. Users are manually spreading the scam unwillingly. Users are told to “"Erase everything in your address bar, copy and paste the code below, and press enter" this is not just any URL, its full-fledged JavaScript code that will initiate the posting of the porno and violent spam to your friend’s news feed. Why the scammers use the “copy-paste” option? Scammers are using a java script. Users are in fact entering and executing the script for the scammers. The “click to a link” method makes the whole task very hard and leaves ID traces, therefore the use of the copy-paste option. The hook to prompt users to do the copy-paste is changed constantly, may be “free Starbucks coffee for a month” or to warn fellow media users of “some danger”, etc. If someone, even a friend, in any social media asks you to do a copy-paste, beware!

Who is behind this campaign? Facebook uses the word “coordinated” to describe the attack. It could mean several servers, possibly in several locations, at the same time. This time is not that a hacker or a scammer wants to steal your hard earned money or your identity. This is a concerted sophisticated effort to harm and disgrace facebook.

Users who are victims of this scam should do the following (1) Remove any related items from your facebook Newsfeed wall page (2) Notify your friends and make sure you explain that you sent them the scam posting unwillingly (3) Run your Anti-Virus in full mode and set it to real time scanning.

No comments: