Walker News

New Spam Attack Through Facebook Page And Event Invitation

Next time when you see an event invitation in Facebook, be careful to look at the clickable hyperlink, as that could be leading you to a trap.

Just now I get an invitation for an event titled “9 out of 10 people cannot watch this WITHOUT laughing!”:

Facebook event invitation spam

Out of curiosity, I open the link of “Official YouTube Page” in “More info” section before responding to the invitation – Attend, Maybe, or No.
The response will just help spammer getting more potential victims to see this crafted event. Therefore, better don’t bother to answer the invitation request.

So, now I see this Facebook Page contains an outstanding red stripe that says “This page is officially powered by YouTube”, together with a tempting video screenshot / title:

Spam in Facebook Page.

After clicking the video, it says a quick “security check” is required before I can watch the video:

Fake security check trick people to click continue button that actually copy malicious code to clipboard.

Finally, the real threat is about to start:

Tricking user to complete the steps of attack.

Once you follow the steps and hit ENTER key, the JavaScript pasted on Address bar by CTRL+V hotkey will freeze Facebook while it performs spam activities.

Luckily, the script requires additional efforts to run on IE9 with default security setting and if your Facebook account is enforced to maintain full HTTPS session from log in till log out.

Best of all, Facebook is immune to this threat and alert me with this sweet message (below) when login back to Facebook (after closing the freezing page):

Facebook security mechanism protect user's account from malicious script code attack.

Anyway, beware when you access online account – use a different brand of web browser to open an unknown hyperlink found in online account, if you’re tempted to browse the link in question.

Custom Search

2014  •  Privacy Policy