Saturday, April 16, 2011

warning: don't copy javascript into the URL bar when asked

i don't often come across malicious content online, but when i do i warn people about it.

today's lesson is to not copy javascript into the URL bar when you're in facebook (though that probably holds for other most other social networking websites too). here's an example of what can happen.

while using facebook you might receive an invitation to an event like this

maybe you'll also receive a message like this

or perhaps you'll get a wall post that looks like this

then when you click you find yourself on a page laying out a step by step process like this one

if you're confused by the instructions they even have a nice little youtube video to explain how it's done

all you really need to do is click through the steps

then it takes you back to facebook where you're supposed to paste some javascript into the URL bar, and when you do (along with the other things that happen behind the scenes) you wind up at a page like this

continue doesn't take you anywhere, of course. the only thing you can do here is prove your identity by taking a quiz (yeah right).

of course there's no such thing as proving your identity by taking a quiz. the quiz requires you to sign up to some mobile service in order to get your results, and that mobile service isn't free. and guess what, there's no longer any mention of those 650 facebook credits anywhere at this point.

what you don't realize is that copying that javascript into the URL bar did a lot more than take you to some strange site. it also sent off facebook messages and wall posts and invitations to an event it just created in your name. and each person who falls for this spreads the scam further and further
if there's one thing you should take away from this it's that you shouldn't copy javascript into the URL bar in facebook. it's basically a trick that the bad guys use to get their malicious scripts past facebook's defenses.