As is the case with every long weekend, the 4th of July weekend brought quite a lot of scams spreading through Facebook. Besides the usual click-jacking, hoaxes, and phishing attacks, one particular scam was discovered that showed the imminent evolution of this type of attack.
As always, the scam commences with a bait message – this time referencing a must-see video of some ex-girlfriend. Interestingly enough, most of the themes that we encounter have been used many times before, but unfortunately people still fall for them.
[Video] - This is what Happend to his Ex Girl Friend!
Play Video! She was Hurting for days, and could not walk!
Once the goo.gl link is clicked, the user is re-directed to a remote site. Google’s statistics page for that specific link showed that about 15,000 users have clicked on it. Of course, there were multiple links involved, so this figure only indicates an average estimate of potential victims deceived by this scam.
This trick would work better in German speaking countries, since “Ja” means “Yes” in German and would therefore make more sense. It is surprising that this particular scam has not been seen with German text yet. Having said that, the English text of the scam is not very fluent, so that might explain why the authors have not explored the possibility of spreading the scam through the German language yet.
Usually this is where the “click-jacking” takes place and where an invisible frame overlaps the “Play” button. The intention of this trick is to cause users to unknowingly click the “Share” button and spread the scam further. In this particular version, however, there was no click-jacking involved. When the “Play” button is clicked, a normal window is generated where the user has to click a button to share the link. Therefore, one click in this instance is enough without needing to “click-jack”.
OoPs! g00d luck.n00B. xD
This may make the obfuscated script pass through some network security tools that look for signatures, but since the client needs to be able to decrypt, it is not hard for an analyst or an advanced browser protection solution to cut through it.
The rest of the scam is straight forward. After the link is shared by the user, they get redirected to a survey page before a slightly related video is shown. The user is then presented with offers for premium mobile subscription services for 8 Euro per week.
Symantec would like to encourage Facebook users to report any scams that they encounter to Facebook. The Facebook security team is currently working on this particular scam and they are blocking and removing the threat as new versions appear.