500 free credits from Facebook – malware

There’s no such thing as a free lunch – or free Facebook credits. As proof consider the attack described below which has several stages:

1) Users get messages with offers of “free Facebook credits”  

2) These trick users into running a malicious JavaScript

3) The infected user is lead to a website – which probably offers the malware distributor some pay per click revenue

4) The malicious script sends out more “free Facebook credits” messages and the cycle starts again

The attack starts in several ways but always includes messages from a compromised friend account:

  • A message with detailed instructions that require actively running a malicious JavaScript:
  • A chat message with the text: “%firstname% just tried this and got 500 Facebook credits works great ” (The link provides instructions similar to those above about loading the code into the address bar).
  • A message is posted on the compromised user’s wall: “Did you guys hear about the Facebook glitch you can get 500 Facebook credits? check it out “.
  • An event invitation with similar free credit content and a link to the instructions website.

Once a user follows the instructions the JavaScript malware will do the following:

1. Redirect the user to a “confirm your identity” page.

2. Users clicking on “Continue” will then be directed to a verification dialog box with link to “Get the New iPhone 4 Right Here”.

3. The final destination for those clicking on the iPhone 4 link will be the Smiley Central website.

The script sends the “500 free credits” messages to a certain number of the compromised user’s friends. We have also encountered variants of the script, in which some of the details change, but the message and method basically remained the same..

Commtouch’s Command Antivirus detects the JavaScript as malware: JS/Agent.ON.

Be careful when trusting messages, even from your friends. Also – have a look at the Facebook Security page (www.facebook.com/security). Safe Browsing!