Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Yet Another Facebook Scam – You Look So Stupid In This Video

May 16, 2011 - 2 min read
Today, we have come across yet another rapidly spreading Facebook scam. The ultimate aim of this scam is to coerce Facebook users into completing various surveys which in turn generate money for the scammer. The messages arrive with embedded Flash video and different messages such as “WTF!! You look so stupid in this video” or “yo, why are you on this video” etc. Below is a screenshot of such messages:


ImageThe post displays fake meta data showing the number of “Views”, “Likes”, etc. to make the posts appear more genuine. When a user clicks on the video link, the Flash file loads in the background. Once the loaded, it prompts the user to play a fake video. When the user clicks again to play the video, it looks like,
The above message displays instructions with keyboard shortcuts that cause the victim to paste clipboard information in the address bar. The flash file itself sets the clipboard data with malicious JavaScript which further spreads the attack. Here is what the malicious JavaScript looks like:
ImageLet’s format this for better readability. Here is a formatted version:

ImageIf user runs this malicious JavaScript in the address bar, the script will randomly load one of two JavaScript files from different domains. The “config.js” is actually used to further spread this scam using different descriptions of the video. This JavaScript file not only posts the same flash video message to user’s wall, but also their friends walls. Here is partial screenshot of “config.js” file:

ImageThe above code contains all the configuration settings for spreading this message with different text messages and different domains. The “config.js” file also contains the code for posting the message to wall of every Facebook friend.

ImageHere is what the source of “verify.js” looks like:

ImageThe above file references yet another JavaScript file. This referenced file is used to keep track of real time stats. The user is further prompted with message box asking “Please verify your identity” by taking surveys as shown below:

ImageIt will keep checking for the survey to be completed even if you click “Complete” button without taking the survey. This is yet another scam run by attackers to earn some money by encouraging Facebook users to complete surveys that pay for completion. This is not the first time we have seen such a scam spreading on Facebook. Attackers are doing an excellent job by taking advantages of both social engineering and social networking.

Believe me - I don’t look stupid in that video!



form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.