Update: As of 2:33am Melbourne time, the situation is contained. Facebook have removed the problematic page. Password changes are still recommended for the 11K people effected… if you visited the page I suggest changing your Facebook password as a precaution.
The information below is now only for the record. I have removed certain information to help prevent the spread of the problematic code.
We have a new Facebook scam / virus, it’s a page titled “This poor girl committed suicide after her father posted this on her wall”
If you have this showing up on your wall removal instructions are below. Please note that this page may pose a risk that can compromise your account.
How the scam works – non technical
There is a facebook page “This poor girl committed suicide after her father posted this on her wall” on the page is a popup that says “Security Check” and asks you to confirm you are over 18. When you click confirm three things happen…
1) The page makes it so you like the page
2) The page posts itself as a link to your wall
3) The page posts itself as a link to your wall again
Your friends will now wonder why you like this page, and click on it. This is how it spread.
Additional note: If the page doesn’t trigger the above action automatically there is a message below the “security box” telling you “Sometimes, nothing happens when you press Confirm. If that is the case, press the “Message Here” tab again.”
As far as you go, we’re not done yet. You now have a new screen. It pops up with a second post, again saying “security alert”, but this time saying it is checking if you are human. It asked you to click buttons in a certain order then press submit to prove you are human.
Now you get a choice of surveys to complete, if you choose one it will take you to an external site in a new window. The Facebook window will sit there checking if you have completed the survey yet.
This is the point of the scam / virus, the person who coded this is using a survey for cash program and collecting revenue either for your work or as the referrer. (At this point we stopped caring to analyse this further).
You can remove the scam using the steps below, technical information about this scam is being written up right now and will be here within 30 minutes.
You’ll probably need to click to enlarge these images and make them readable.
First it asks you to confirm your age.
Next it asks you to prove you are human: (Oh, and right clicking is, it says, “disabled by Facebook”)
Step 3 is where it asks you to choose a survey
Step 4, it opens a new window to show you your survey:
Mean time, the Facebook window sits there waiting for you to finish the survey:
Step 5: This is not really part of the scam, but trying to close the survey will cause some issues… the first few are popups. Don’t click any buttons on these, just press the escape key on the top left hand corner of your keyboard to get rid of them.
While these popups are distracting you, the site loads a new page:
Finally it closes!
Currently spreading at a rate of 1 person every six seconds. The limiting factors seems to be the server they are hosting it on… it can’t handle the load very well. This could be cause all their images are hosted on the server. They tried hosting them at image shack but the images were quickly removed (probably flagged due to bandwith skyrocketing which triggered an automatic response).
6458 8:59pm Melbourne, Australia time.
6473 9:00pm Melbourne, Australia time.Increase by 15 per minute.
6483 9:01pm Melbourne, Australia time. Increase by 10 per minute.
6493 9:02pm Melbourne, Australia time. Increase by 10 per minute.
6600 9:12pm Melbourne, Australia time. Increase by 10.7 per minute.
7510 10:25 Melbourne, Australia time. Increase by 910, 12.5 per minute.
8070 11:01 Melbourne, Australia time. Increase by 560, 15.6 per minute.
9835 11:50 Melbourne, Australia time. Increase by 775, 15.8 per minute.
10425 1:29 Melbourne, Australia time. Increase by 590, 6.0 per minute. A significant drop in the rate of spread.
10568 1:39 Melbourne, Australia time. Increase by 143, 14.3 per minute.
10817 1:52 Melbourne, Australia time. Increase by 249, 19.2 per minute.
11150 2:16 Melbourne, Australia time. Increase by 333, 13.9 per minute.
0 2:33 Melbourne, Australia time. Facebook disables the page. The “likes” have therefore vanished from everyone’s walls.
Firmly, the popup in step 1 above is not a popup, it is simply an image. Clicking it makes a call to a Facebook application, Application ID: 4949752878 more on that below.
The application is hosted on a server leadhoster.com and this domain is registered to a private (unpublished) owner. The registration is done by a German company AttractSoft GmbH. Their abuse e-mail address is firstname.lastname@example.org.
The application uses at least two sub-hosts on the server. The code is in PhP. The first set of code is like.php this is what adds the application to your wall, twice, and make you “like” it. Is this triggered by step 1. Once it has run it takes you to step 2, hosted on another sub-domain.
Step 2. This, for me, was on a second sub-domain it runs the blind.php file. This file stops right clicking and gives you the second pop up, when clicked it loads <a href=”http://www.cpalead.com”>http://www.cpalead.com</a> this is a site that provides surveys which generate cash for the person who gets you to fill them out. IT is designed to help content owners generate cash from people wanting to view their site. In this case the application is using it (for http://www.cpalead.com publisher id 114295) to get Facebook users to fill out surveys so the owner can get cash. This is the pay load from the application.
The major technical limiting factor on this applications seems to be that their server can’t handle a very high load.
The Facebook Application
I should note there is also an event, which lists this application in it’s name, which is running from Monday, March 7, 2011 · 3:30am – 6:30am. The event created by ?EVVAL YASEM?N YÜRÜK VE EREN BAKICI which is actually another Facebook page. This page has only 213 fans and is apparently based in ?stanbul, Turkey.
My facebook account password seems to have changed shortly after posting this… luckily I was logged in to tweet deck at the time, and as soon as it couldn’t login to facebook alarm bells went off. I immediately reset it and verified by phone.
1) Go to the page at http://www.facebook.com/pages/This-poor-girl-committed-suicide-after-her-dad-posted-this-on-her-wall/152552574785485?v=wall&ref=mf and click “unlike” on the left hand side
2) Go to your wall and hover over the two posts about this scam, now click the remove button
3) Go to the wall of who ever posted this (where you clicked it) and tell them to follow these instructions
4) reset your facebook password and any other accounts that use the same password – just to be safe.
This page was created by CIE’s director, Dr Andre Oboler. Dr Oboler is is a social media expert and holds a Ph.D. in computer science from Lancaster University, UK and in 2007-2008 was a Post-Doctoral Fellow in Political Science at Bar-Ilan University, Israel. He is a former Legacy Heritage Fellow at NGO Monitor in Jerusalem, and edits www.ZionismOnTheWeb.org – a website countering on-line hate. His personal site, including details of publications, is at www.Oboler.com.
CIE’s most recent social activism project was Meet Gilad, why not check it out while you are here?