Facebook User Error Behind Porn, Mutilation Spam

A campaign of explicit spam on Facebook this week has been linked to a relatively obscure exploit method known as self-inflicted JavaScript injection and not malicious code running on Facebook’s massive network, an independent analysis has shown.

FacebookA campaign of explicit spam on Facebook this week has been linked to a relatively obscure exploit method known as self-inflicted JavaScript injection and not malicious code running on Facebook’s massive network, an independent analysis has shown.

The campaign, in which violent and pornographic images appeared on the walls of various users on the network, caught the attention of the media this week after users began complaining. Though initial reports suggested the explicit images were spreading automatically between Facebook users, security firm Zscaler said their analysis suggests that is not the case.

In a blog post published yesterday, the researchers argued that the attack required Facebook users to copy and paste JavaScript directly into their browser’s address bar. That script allowed the attackers to modify the user’s Facebook page, posting the offending images and then messaging the user’s Facebook friend network.

Facebook has reportedly scrubbed their network of the majority of the offensive content.

Zscaler claims this sort of exploit technique isn’t new, and that it was widely used in the spate of Facebook attacks that occurred shortly after the death of Osama bin Laden. The method is, however, less frequently used than the standard like/click-jacking scams we’ve all become accustomed to seeing on Facebook,

Suggested articles

Discussion

  • Anonymous on

    In my experience with this type of exploit, the user does not actually copy the JavaScript as implied in this article and discussed in the blog post, but instead the JavaScript (except for the initial character) is automaticaly placed on the user's clipboard.  The user is then instructed to type the first character in their adress bar and then press ctrl+v and enter. 

  • asmiller-ke6seh on

    "User Error"? User "ERROR"?!!!! How about "User Stupidity". It's a Social Engineering attack, enabled by really naive users who shouldn't be given the Internet "keys" to drive.

  • Dave B. on

    You can't fix stupid...

  • Anonymous on

    That's why we need to educate the general public about computer & network security, starting from setting up a strong password...

    This should be all security researcher's goal, at least one of the goals: cure from the root.

    In most cases, the policy/protocols/tech are NOT bad, but

    a) people who don't know about it--general users, got hurt;

    b) people abuse the rules--spammers;

    c) people who destroy/break the rules-- attackers.

  • Anonymous on

    i am making a motion for internet licenses, who is with me?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.