Dubious JavaScript Code Found in Facebook Application

“Liking” a fan page or a group on just about every page you stumble on Facebook may backfire someday and you’ll wish you hadn’t “liked” it at all.

TrendLabs^SM engineers found a dubious Facebook page that uses JavaScript code to spam everyone in a user’s Friends list.

The page called “10 lies girls ALWAYS tell guys! funny!” is a classic example of how Facebook pages can use JavaScript to spam users who are curious enough to hit the “Click here” button to view its contents. However, in order find this out, one must follow the instructions displayed. It asks users to hit Ctrl + C to copy the JavaScript and Alt + D to select the address bar. The succeeding steps from the prompt then run the JavaScript.

The top portion shows the original code that the user is prompted to enter while the lower portion shows the decrypted code. Notice that the original code has been obfuscated, in this case, using two well-known public JavaScript obfuscators—the Dean Edwards Packer and the Free JavaScript Obfuscator.

Going through this code step by step, it appears that it is meant to keep the specified page element hidden. It also overwrites the contents of a separate specified page element with that of another page element. The code also creates a simulated mouse click on the “suggest” element of the page. The code toward the end sets five-second timers that click items found in the suggestion box, which selects all of the user’s Facebook contacts and suggests the application to them. It then creates a simulated mouse click on the “like me” element of the page. While this code does not pose any other immediate threat apart from spamming Facebook walls and requests, there is nothing stopping cybercriminals from using these techniques to spread malware.

TrendLabs^SM senior advanced threats researcher Ryan Flores thinks it is interesting to note the user interaction involved in this method. He said, “(Because) Facebook is actively filtering spam URLs, spammers are becoming more clever in pushing spam sites without immediately posting actual spam URLs.” He believes this method is no longer new, citing nonclickable spam URLs as .JPG pictures as examples, which instructed a user to type the URL shown in the image into the browser’s address bar.

Fortunately, this threat’s highly user-interactive feature makes it preventable. Users must always be wary of possible fake applications in Facebook and avoid following dubious instructions similar to the ones used in this attack.