Facebook infested with cut and paste Javascript survey scams

Version imprimable, PDF et e-mail

by Dave Michmerhuizen – Security Researcher

The Social Networking monitors at Barracuda Labs are reporting a virulent outbreak of survey scams on Facebook.  These attacks use a variety of social engineering topics and spread via different Facebook APIs,  but all use the same initial “cut and paste JavaScript” exploit to spread within the Facebook ecosystem.

How it works

All of these pages exploit a poorly understood feature of modern web browsers – the ability to execute Javascript entered into the URL bar.    You can demonstrate this yourself by entering the following in the URL bar of your browser

javascript:alert("Thanks for reading the Barracuda Labs blog!")

and pressing the Enter key.

JavaScript executed in this manner does so in the context of the currently loaded webpage.  If that's Facebook and you're logged in, then the JavaScript has access to all the APIs and credentials that the authenticated Facebook page has.   You can even demonstrate that by putting this example in the URL bar


The resulting message box displays the cookie (if any) that is associated with the currently loaded web page.

These scam pages all try to trick you into copying a bit of JavaScript onto the clipboard and pasting it into the URL box like so

It's no accident that this looks confusing since the scammer doesn't want you to think too hard about what you're actually doing.  “Just follow the instructions!” is what they say.   What this particular snippet does is to tell the currently loaded web page to load and run a much larger JavaScript file from elsewhere on the Internet, in this case,  http://hapenceiver.info/lock.js.

The JavaScript file that is loaded in goes right to work spreading the scam to your friends.  There are  a number of these files in circulation, all of them parameter-driven, so easy to use that would-be scammers don't even need to know how the script works.  Just change the fake message and the scam landing page and they're good to go, like in this small sample of one script

The bulk of the JavaScript spreads the scam virally using various Facebook APIs such as  messages, invitations and posts to friends walls.

At one time these sorts of survey scams were spread via Facebook applications that attempted to trick you into “liking” them.   A Facebook application requires scammers to apply for an AppID and to have a server.    This “Cut and Paste JavaScript” approach only needs a cheap domain or even a Facebook page.  Either are easy to set up, and with such a lowered bar to entry the scams are showing up everywhere.   Prompting users to cut and paste JavaScript isn't new but it's sure meeting with a lot of success.


What happens

Executing the JavaScript file that the code sample is from will post a message to every one of your friends walls, like so

If a friend clicks through, they see the attack page, hosted on Facebook

and if that friend follows the directions, not only do they spam their friends, but they proceed on to a survey page, in this case disguised as a “security check”.

Following one of these all the way through lands you on the payoff screen.

The “security check” says it wants to send the results to your cell phone.   Your cell phone number is really being requested in order to sign you up for a premium SMS service, as shown in the small type at the bottom of the page.    This is how many Facebook survey scam pages make their money and why they are so prevalent.


Barracuda Networks recommends you exercise special care when visiting links posted in your friends’ news feeds.    Barracuda Web Filters and the Barracuda Web Filtering Service block access to these sites.



Remonter en haut de page