Last week there was an outbreak on Facebook of video spam related to Osama bin Laden's death. The previous spam was basically variations of this:
If a curious user clicked on the link in the spam, it would eventually bring them to a page which basically makes the user manually send out spam to his own Facebook contacts, under the guise of a "security check" to view the video:
The user essentially does a copy and paste execute of the script:
That code messages the user's first-degree friends (with spam).
So we were analyzing the previous run of video spam on our test machine and today, woke up to find our Facebook Inboxes with tons of new spam, which has been revised so that we don't even need to copy and paste the script any more. How convenient.
The spam we received looked like this:
Then, we'd be expected to clicked the ==VERIFY MY ACCOUNT== at the bottom (note: we do not recommend this).
Then we saw this at the bottom of our browser:
The code would post the same message on our Facebook account's Wall as the message the previous spam run sent out to the first-degree contacts.
Next, a pop up box appeared:
And then redirects to this page:
It is not really clear as to what the aim of the author is, there does not seem to be any obvious monetary gain. But it is definitely an upgrade on the previous spam run.
On a side note — posted "via iPhone"? No, not really. Assigning the 6628568379 to the app_id parameter apparently makes Facebook recognize that the posting is from an iPhone:
For example, visiting http://www.facebook.com/apps/application.php?id=6628568379 would lead to http://www.facebook.com/iphone.