BuzzMania – ClickJacking / LikeJacking spam on Facebook!

When logging into Facebook this morning I saw that many of my friends posted a link to a video on their wall, and also everyone liked the link. The video was of a girl with a nice butt and it had the title “Laura Frisian: the most beautiful ass in the world!”, it was pretty obvious that it was a scam because it looked like all the other Facebook scams we have seen, but because soo many of my friends were posting this video I still decided to take a look at it.

I quickly ended up in a JavaScript hell, with obfuscated code and multiple domains. It seems that the server used in this scam is hosting about 300 pages similar to the one im writing about. All of the pages look the same, but have many different videos, a few examples are:

  • If you like Nutella, never look this video!!!
  • Drill a tooth abscess! Disgusting :s
  • Compilation of Embarrassing and Busted! Photos, Awesome 😀
  • Transgender 10-Year-Old, Boy Happier As A Girl !
  • A Really Giant Baby ! Amazing it looks so real 😀
  • Air Race Plane Crashed in the crowd during a show !
  • The worst thing that can happen to a girl!
  • A fisherman catches a couple when they make … 😀

There are also many different JavaScripts being loaded, one of the ones we have identified is the following one, and exactly what this one does is not clear yet:

But the synopsis of the scam is pretty simple. If you click on the link to the video you will end up on a splash page, on this page you will be exposed to a clickjacking/likejacking attempt. This means that if you try to watch the video, or any other video on the page it will automatically post things on your Facebook wall. This require that you are logged in to Facebook or have been logged in and your cookie is still active. There are two different splash pages, one if you are loggedin to Facebook, and one of you are not. Please see screenshots below:

If you are not logged in to Facebook


If you are logged in to Facebook

The full landing page looks like this:

The JavaScript code is obfuscated and packed, this makes the entire debugging more difficult, but during the research I have identified several domains connected to this scam. It also seems that they use redirectors to prevent URL/Domain denylisting, and there are also several different scams on each server.

It seems that the purpose of this scam is to expose you to ads, and also automatically get you to like certain ads. This will generate both traffic and money for the guys behind this.

Please, if you see this on Facebook, please report it as spam, this will allow the Facebook Security Team to deal with this much faster.

BuzzMania – ClickJacking / LikeJacking spam on Facebook!

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox