A new attack campaign seems to be surfacing on Facebook.  This one focuses on the user directly activating a spam program.  An app will try to get users to copy a snippet of JavaScript into their browser’s location bar.  The app uses bait tactics, such as promises of “Themes for your Facebook wall” or “See who has viewed your Facebook profile”.

By the way, any app that claims to able to do such things is lying.

Here is an example of one such site.

This particular one claims to provide Facebook themes. There is a short tutorial video that simply tells the user to copy that snippet of code to the browser address bar and hit enter. While most of the time the browser will protect the user from a website trying to run code like this, there is nothing a browser can do if the user is the one who runs the code.

This code will pop up a little box that looks like this:

Of course it is not really setting up themes, it is actually getting the user’s email address (to send spam to?).  It also posts itself to the user’s Facebook wall to lure more victims.  This last part doesn’t exactly work due to a bug in the JavaScript code.

Bottom line, don’t paste unknown JavaScript into your browser. Ever.

Those of you who want a more technical explanation of what this does, read on.

The code pasted into the browser adds a <script> tag to whatever page is open at the time. The src attribute points to a site controlled by the bad guys. Every app we have seen so far had a different site. Normally, a browser will only let a script read a cookie if it comes from the same site that wrote the cookie. When the user embeds this foreign script tag into Facebook, the browser sees the script as coming from Facebook, and allows it access to the Facebook cookies.

The script that gets pulled in from the bad guy’s site is obfuscated by turning each letter in the code to a number and then translating them back into letters right before execution. The unscrambled code in turn grabs the next line of even further obfuscated code and unscrambles that by subtracting some amount (23 in this case) from each number before translating it back to a letter to get the final payload.

There seems to be a bug in the final payload where a faulty regex fails to parse a user id out of the page source.