Social Networks

Facebook Tag Scam Spreads like Wildfire, New Tactics Emerge

Two weeks ago, we wrote about the re-emergence of tag scams on Facebook. What seemed to be a basic worm at that time turned into inspiration for multiple cyber-criminal gangs. This week-end hackers took a more diversified approach to reaching victims’ browsers and wreaking havoc on Facebook walls.

Today’s scam is much more complex than what we described in the previous post. It all starts with an inciting image disguised as video posted on a user’s wall. Again, the scam message also features up until 20 friends tagged to it, which facilitates its spreading.


If the user is curious enough to click the link, they are taken to an external page via an anonymized service. The destination page is a Facebook clone that shows an alleged Youtube Video.

A look into the page’s source shows highly obfuscated (encrypted) JavaScript code that is responsible for identifying what browser and operating system the victim is using. If they browse the page from an iPad, iOS or Android device, they are redirected to a page that embeds a prank video on Youtube. The website would not attempt to cause any harm to these devices.


However, Windows or Mac OS X users running Chrome are prompted to download a malicious browser extension snuck into the official Google Chrome Store.

As of the time of writing this, more than 4,200 users had installed it. There are three extensions that we know of (one of them is called Koksty and specifically targets the Russian social network vKontakte). All of these Chrome extensions are still online. We have reported them to Google for takedown.


The addons themselves are the ones propagating the scam to victims. Since they reside in the browser, these extensions can perform any actions on behalf of the user, such as reading and modifying the data on the websites the user accesses.

This SmartVideo extension features a page called background.js. It has an obfuscated JavaScript function that looks like this:


Encrypted controller code that loads the Facebook share payload

When decrypted, the code points to another website controlled by the attacker; the sssssefv.js file loaded from this website is the controller page for this scam wave.

Oddly enough, the Facebook payload features multiple code comments such as “kur ti bon do foto tjera e kthen qysh ke , se qetash spo tbojn fotot”, which might hint that the hacker group responsible for this is of Albanian origin.

This controller script handles everything: it creates the anonymized links, fetches inciting photos to be used as bait for the Facebook post, creates short URLs for every new Facebook post and so much more. It’s a fully automated Facebook scam infrastructure.



So now you know how it all happens. Remember, don’t click anything that looks fishy, regardless of how shocking or inciting it appears to be. Hackers count on your curiosity to make you part of the scam. Stay safe!

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment