Facebook hoax "Prayers for Like"


The message is a disgraceful hoax designed to get maximum number of likes for a facebook page and further promote it through sharing the message.

A baby's photograph was taken out illegally from a personal facebook profile and is circulated without the parents permission. Unfortunately the baby from the photograph died two weeks after her birth. As the baby's picture is being circulated without the parents permission, it is causing great pain to them. If this hoax message comes your way, do not like or share it. Advisory, report this particular message to Facebook.

According to the facebook's currently distributed hoax message, you can offer prayers to this baby girl by liking or sharing the picture. However, liking or sharing the particular message would not help the baby, infact would cause considerable distress to the parents and make them belligerent.

The people who create these messages are highly motivated by the green eyed monster and look through the children whose pictures they misuse. Facebook pages with large number of likes are a source of black market and can also be sold to inhumane internet marketers and used to make further scam and hoax messages.

Believes of offering prayers for someone who is unfotunate is sane but reciprocating it through social networking sites is simply absurd. Are we to believe on a denigrating fact that, “almighty has a deal with facebook that one shrare contributes hundred prayers?”

Not only this it can also be seen on other pages including images of God and Godesses and they ask for a like or comment to seek There blessings.Well its ironical that even the Almighty now needs likes, shares and comments on their images for blessing the mankind.Huh.Well my suggestion is open up your eyes and think broadly.

If this message comes your way, do not like, share or comment on such a post. It plays in favour of inhumane and immoral people who earn from such hoaxes.

The company needs to take action that ensures that these scam messages are removed from the network as quickly as possible.

Moreover, facebook has actually removed some of the messages, as they have been reported a number of times. The company should ensure that these hoaxes are removed from the network as quickly as possible.

Phishing mail says 'DSVX virus' detected in Your Yahoo Mail


If you are getting emails saying that a virus detected in Your Yahoo Email account, ignore the emails.  It is none other than another tricky method used by cybercriminals to fool users.

Hoax-slayer has spotted a fake email claiming to be from Yahoo informs recipients that it has detected a so-called DSVX virus in your yahoo mail account and you have to update your account.

The email warns the recipients that if they failed to update, they will lose access to their email address.

It also claims the update will give latest spam protection, faster email and unlimited storage facility. 

To update their email, it asks the recipients to send their username, email id, password, email security question and answer, country, phone number and Date of Birth by clicking the Reply Button.

Keep in mind that Yahoo or any other organizations are never going to ask you to send your username and passwords or any other sensitive data via an unsecured email.

Scam Alert: Your Facebook Accounts will be Permanently Disabled

We have seen large numbers of facebook posts that promise something, but it turns out to be a scam.  Fb users are still believing such kind of posts and blindly following the instructions.  So, Cyber criminals are keep coming up with new themes to trick users.

Over the past few days, i have been receiving a facebook notifications informing that one of my friends mentioned me in a comment.  I had a look at the post, it is none other than a facebook scam.

The scam posts says "to all facebook users Your Facebook Accounts will Permanent Disable. you must register your account to avoid permanent disabled . How to register? Go to our pinned post. and follow instructions carefully!" 

It asks you to copy and paste some code in the console of your browser.  By blindly following the instructions of scammers,  users are allowing scammers to do various actions('like', 'sharing', 'tagging friends' and more) on their behalf.

Earlier this year,  we learned that scammers were tricking users by promising them that following the instructions will help them to hack their friends' accounts.

Cybercriminals abusing Microsoft Azure for phishing attacks


CyberCriminals usually host fake web pages on hacked websites, free web hosting, more recently they abused Google Docs.  These fake pages(phishing pages) trick unsuspecting users into handing over their personal and financial information.

Now, the cyber criminals have started to abuse the Microsoft's Azure cloud platform to host their fake websites.

Creating accounts on Azure is very easy and they are also offering a 30-day trial.  Once you are done with account creation, you can easily create your web pages using the main dashboard.

However, Registration process is not easy for criminals.  Because, it needs you to provide a valid phone number and credit card details.

MalwareBytes researchers says the attackers may have stolen the username and passwords from legitimate users that were already registered.

Netcraft has identified several phishing pages targeting users of Paypal, Apple, Visa, American express, Cielo hosted on Azure.

PhishTank records:
http://www.phishtank.com/phish_detail.php?phish_id=2428419
http://www.phishtank.com/phish_detail.php?phish_id=2391951
http://www.phishtank.com/phish_detail.php?phish_id=2342647
http://www.phishtank.com/phish_detail.php?phish_id=2174737

Beware of fake versions of Malwarebytes Anti-Malware 2.0 claiming to be free


It is always suggested not to download cracked versions of software, if you are really concerned about your Desktop security.  But, Downloading a cracked version of Antivirus or from unknown sources is height of stupidity.

MalwareBytes recently released new version 2.0 of the MalwareBytes Anti-Malware(MBAM). Cyber criminals have now started to trick users into installing the fake versions of this security application.

Researchers at Malwarebytes have come across a number of websites offering free version their software, but are actually potentially unwanted programs.

These bogus applications are capable of making itself run every time, whenever the system is restarted.  They are also capable of accessing your browser cookies, list of restricted sites and browser history.

These apps also blocks users from accessing certain websites by adding them to Internet Explorer's restricted zone, which includes wikia, gamespot, Runescape online.

The security firm also have spotted premium version of MBAM with key generators on torrent websites.  But, in this particular case, users are asked to fill survey in order to download the app.  Filling these kind of surveys will help the cybercriminals to earn money. 

Emails promising CNN article about HeartBleed vulnerability leads to Spam sites

Cyber Criminals often take advantage of hottest topics and latest events to entice users into visiting spam websites. The HeartBleed bug, which has made headlines over the past few weeks, is no exception.

Now, spammers are sending out emails with subject "HeartBleed Bug warning". The spam campaign was discovered by Security researchers at TrendMicro. 

"I Just want to let you know there is a big security concern now in the internet.  The Internet bug called Heartbleed Bug, was recently discovered by experts.  So if were you, you need to change your internet passwords specially your banking passwords." The spam email reads.

"Check for this report in CNN. Report from CNN[LINK]"

If the link provided in the email led to the actual CNN report, the email may have been considered as cyber security awareness email.  But, the link leads to some malicious webpage.

One good thing what spammers did is notifying users about the HeartBleed vulnerability and suggest recipients to change their password.  If the link provided in the email.

Phishing pages trick Steam users to Upload SSFN file

Is Steam login page asking you to upload SSFN file? Think twice before uploading, because the legitimate steam site never asks you to upload SSFN file.

Steam Guard is extra layer of security.  It will ask you to enter a verification code sent to your email, whenever you try to log in from a computer you haven't used before.

This feature will prevent attackers from taking control of your steam account, even if they know your login id and password. 

However, there is new Phishing scam uncovered by MalwareBytes that bypasses the Steam Guard protection.  It tricks users into handing over their login credentials and the SSFN file.

What is SSFN File?
SSFN is the file that avoids you from having to verify your identity through Steam Guard every time you login to Steam on your computer.  If an user deletes this file, he will be asked to verify again and new SSFN file will be generated and stored in your pc.

If you upload your SSFN file to a phishing page, attackers can use this file with username &password to take control of your account.

In a reddit thread, several users have reported that they got fooled by this phishing scam.

"Steam will never ask you to provide any Steam Guard files. If you upload or give a user your Steam Guard .SSFN file, they can gain access to your account without accessing your email account. However, they must know your Steam account password and username to use this file" Valve article about Steam Guard reads.

European Apple users targeted with phishing emails

A new phishing campaign targeting European users of Apple store which promises to offer a discount.

Security researchers at Kaspersky have spotted a new spam mail targeting Apple users, tricks users into thinking that they can get discounts of 150 euros by just paying 9 euros.

"Apple is rewarding its long-term customers.  Your loyalty for our products made you eligible for buying an Apple discount card" The spam mail reads.

The spam mail asks users to download an attached HTML file and fill the form, where users are being asked to enter personal information as well as credit card information.

The scammers spoofed the email address such that it makes the email pretending to be from informs@apple.com.  They also promised to send the discount card within 24 hours, after filling the form.

If a recipient follows the instructions and fill the form, the phishing file will send the data to the attacker server.  The attacker will use the given financial data. 

Users targeted with large number of Spam mails containing Banking Trojan

 
A new massive spam campaign has been spotted by security researchers at AppRiver which sends large amount of spam mails to data centers in an effort to evade Email-filtering engines.

AppRiver's data centers received 10 to 12 times normal traffic.  Even though AppRiver managed to block the spam mails, tremendous volume of traffic caused some of its customers delays in sending and receiving emails.

CyberCriminals are targeting users with large amount of emails with varying premise.  One of the spam mails is targeting Bank of America customers.  A fake alert message pretending to be from Bank of America contains a Bredo malware.

Researchers say the malware is capable of recording the keystrokes and steal financial information.  It has also capabilities to do download additional malware on the victim's machine.  The spam mails reportedly detected only by 11 out of 51 antiviruses.

Another mail analyzed by AppRiver is pretending to be from "VISA/MasterCard" and informs recipients that their account has been blocked due to unusual activity.

Some of the malicious attached files have pointed to Andromeda botnet and some other pointing to Bredo Botnet.  This botnet activity being referred as TidalWave/TidalBotnet by AppRiver.

Facebook Scams: "Hacking any Facebook Account", "Facebook Music Theme"


A new facebook scam which is claimed to be a script to "Hack any Facebook account" is spreading like Wildfire.  Recently, i also came across a facebook scam post that promise a "Facebook Music Theme". I've been tagged in the spam posts by more than 20 friends within a week.

The post has a link to a script file which is randomly hosted in dropbox, pastebin, textuploader and other file hosting services.

The post tricks users into thinking that it is a script to hack any facebook accounts.  It urge users to use it before it is getting blocked by facebook.

It asks them to copy the script and paste in the "console" section of the "inspect element" option in your browser.  It claims you will get username and password once you done the process.


Here is what exactly happening:
When you execute paste the code in the console section, it will run the code on behalf you.  So, it will send several requests including "Like" & "comment" request".  It means that you are unknowingly "liked" and "commented" on the scammer's pages.


It also tag all of your friends in a comment so that it can spread the scam further and get more victims.

I can't believe that there are still plenty of people out there who still believe some stupid scripts can hack accounts.

Are you one of the victim who followed the stupid instructions? 
No need to panic.  As far as i know, the script only "likes"& "comments" on behalf you.  So, you can simply go to "Activity" log page in your account and unlike & uncomment them.  If you are reading this article, make sure you are not doing the same mistake again.

Facebook Scam: World's Largest Snake Video and Shark Eating Man Videos

Facebook Survey Scam
Attention Facebook users ! If you are seeing a Facebook post promising outrageous videos, for instance"Shocking video: World's Largest Snake Video, Don't click it, It is nothing other than Survey Scam.

There are various facebook posts circulating with different bogus title in facebook that leads to a survey scam page.

So far, the topics used in the scam campaign are " SHOCKING VIDEO World’s Largest Snake Found In [Brazil /Mexico ]", "Exclusive: Shark eats the swimming man in an Ocean!! Watch the video".

Facebook Scam post
The user who clicks the link in the post will be taken to a web page where they are asked to complete the survey in order to view the video and share the video in their facebook account.

At the end, you will get nothing other than being a victim of the scam.  Remember, there is no such videos.  If you come across these kind of posts, just ignore it /report it to Facebook.

Spam mail promising Adobe License key delivers Trojan

 Adobe has issued a warning about a new spam email campaign which is purporting to deliver License key for a variety of Adobe products.  

Security researchers at MX Lab, have come across the spam emails with the subjects such as "Download your License Key", "Than you for your order" that distributes a new Trojan.

The attacker managed to spoof the email address so that it will appear to be from Adobe Inc.  The email thank the recipient for buying a various Adobe products and informs them "License Key" is attached with the email.


Those whose eagerly searching for a new License key definitely open the attachment.  The attached file "License_Key_OR8957.zip" is nothing but a malware.

At the time of writing, 27/49 Antivirus engines detect it at VirusTotal.  It appears the cyber criminal use the same technique from 2011.

Nigerian man jailed for $1.5 m phishing scam targeting students

A Nigerian man has been sentenced to three years and nine months for taking part in a $1.5 m phishing scam targeting UK students.

Olajide Onikoyi, 29-year-old, from Manchester, was one of the person of a criminal group who targeted students by sending phishing emails inviting them to update student load details.

According to SKY News, he laundered £393,000 from 238 victims in total, including one student who had £19,000 taken from his account.

When Metropolitan police central e-crime unit seized his computers, they found a chat logs that revealed he was conspiring with criminals in Russia, Lithuania and UK.

A number of other people have also been jailed in connection with the scam.

Users are all advised to be extreme caution when clicking links in unsolicited emails, log into the websites directly by entering the url of the site instead of clicking the link.

Halifax Bank phishing email claims "3rd party Intrusion detected"


A phishing email targeting UK-based Halifax Bank users attempt to trick recipients into handing over their sensitive information.

The email informs the recipients that "3rd party intrusions" have been detected and their account has been limited for security reasons, according to Hoax-slayer.

To restore the account, it asks recipients to confirm their identify and verify that their account has not been used for fraud purposes, by filling an online validation form.

Once the victim opened the link provided in the email, it will take them to a fake Halifax Bank website where it will ask them to log in.  Then, it will ask victims to enter their personal information such as name, phone number, birth dates.

In next form, they will be asked to enter sensitive information such as Account Number, sort code, card number, expiration date and security code.

As usual in phishing scams, once the form is filled, the victim will be automatically redirected to the legitimate Halifax Bank website.

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.

Scammers once again take Advantage of Deepavali Festival

CyberCriminals always try to take advantage of festivals.  As expected, cyber criminals have started to sending Diwali themed scam emails.  Diwali/Deepavali is a Hindu festival which is being celebrated in Nov 2,this year.

One of the scam email spotted by Symantec experts which is purportedly from Reserve Bank of India(RBI) informs the users that they have been awarded a prize of 4 crore and 70 Lac Indian rupees(US$763,609) as a Diwali celebration promotion.

"Dear Lucky Winner, The Reserve Bank of India(RBI) Governor, Secretary-General of the United Nations met with the Senate Tax committee on Finance RBI Mumbai/Delhi branch. You have been awarded the total sum of 4 Crore, 70 Lac Indian Ruppes in the up-coming diwali celebration promotion " The scam email reads.

The recipients are asked to contact the RBI Regional director by sending email to a given email address to claim their winnings.   Keep in mind, there is no such kind of promotion.

Those who contact the scammers either will be asked to pay certain fees to get the prize money or will be asked to give certain personal/financial information.

Twitter Accounts of Jordana Brewster, Zach Roerig and Pentagram Hacked

@
#Exclusive: Jordana Brewster, a Brazilian-American actress, best known for his role in Fast & Furious Movies, admitted that her twitter account was hijacked by cybercriminals.

According to followers report, the cyber criminals who hijacked the account has posted a spam tweet from her account.  The incident was first reported by Eduard Kovacs at Softpedia.

"please ignore tweets ( except for this one) my account seems to have been hacked" recent tweet from @JordanaBrewster reads.  "all good now".

Jordana Brewster twitter account hacked - Image : E Hacking News


I found she is not the only celebrity who fell victim to the twitter account hijack in this month.

Zach Roerig, an American actor who is best known for roles of Casey Hughes on As the World Turns, admitted that his twitter account was hacked.

"Burn 2 + inches off your waist losing up to 20 lbs of body fat in 28 days with hxxx://tinyurl. com/klwcpwq" The spam tweet reads. 

The recent tweet from @zach_roerig "Once again being hacked sucks" apparently shows that this is not the first time his account being hijacked by cyber criminals.


Zach Roerig twitter account hacked - Image : E Hacking News

The story does not end here, the official twitter account of Pentagram, a design studio that was founded in 1972 , is also got hacked.  Hackers posted the same spam tweet used in the Zach Roerig twitter hack.

"Dear Twitter followers, if you receive a direct message from us, please don't click on the link. We caught something that's going around."  The recent tweet from pentagram reads.

Pentagram official twitter account hacked - Image : E Hacking News

*Update*:
I just found the following twitter accounts also fell victim to the spam attack: Hart Hanson (@HartHanson), @NewsBreaker, Jane Ellison MP(@janeellisonmp).





*Update 2:
Twitter account of Justin Bethel (@Jbet26), an American football cornerback for the Arizona Cardinals of the National Football League, also got hacked and spreading spam tweets.


Update 3:
ESPN Reporter,  Mike Massaro also admitted that his account abused for spreading spam:


ESPN NFC East twitter account (@espn_nfceast ) is unavailable after hackers hijacked the account.

*Update 4:
 Graham DeLaet(@GrahamDeLaet ) ,a Canadian professional golfer who plays on the PGA Tour, also got hacked by the same group. 

Facebook spam abuses Microsoft Translator

We recently investigated the facebook spam that abuses McAfee URL Shortener and Google Translator and published our report.

Today, we have come across a new facbeook spam campaign that abuses Microsoft Translator for redirecting victims to the spammer's site.  I have come across different variants of this spam campaign within last 24 hours.

The list of variants used in this campaign includes the old profile viewer trick " Profile Viewer version 4.6 : Check who views your profile at link in Description".

Facebook profile viewer spam

Facebook SPAMs

Unfortunately, i can't share the screenshots of other variants as it contains adult images.  So , here i am sharing only the description in the SPAM picture:

  • Look what she did after drinking , Video link in description
  • Looks like she enjoyed it, Video link in description
  • They gone too far 
  •  Massive japanise org* sports, Follow the link to watch video
  • Beautiful girl on facebook, click on the link to know about her
  • Got caught making hot video on cam, Video link in description
  • You can't believe she did it in bus,  Follow the link to watch video
  • Got caught in library, Video link in description
  • "She was seduced by her own uncle, find video link in description
All of the spam posts contain a "j.mp" link (url shortener) that redirects the victim to the Microsoft Translator page.  The Microsoft Translator is abused to hide the original spammer website and is used for redirecting to spammers website.

What's worse about these spam campaign is even security researchers fall victim to the spam.  Today, one of my friend fell prey to a post that promising "Free Gift Card to spend at Starbucks!".  So, it is useless to blame a normal users.  I believe they will realize their mistake once they find them-self victim to the attack.

Please share this article with your friends and spread the awareness about facebook spams.

Stay tuned..! I'm starting my investigation on this new campaign ;) This article will be updated if i find anything interesting.

Facebook Spam abuses McAfee URL Shortener and Google Translator


We yesterday got a notification about a new facebook spam from one of EHN's reader.  What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.

The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape"  and "Link in the description".


Clicking the link will take the victim to the Google Translator page.  Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "altervista.org".

As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.

Facebook Access token stealing - Image Credits: E Hacking News


Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.

The spammers didn't ask your birthday for not sending birthday wishes :P .  The collected information will be used in future spam or for any other malicious purpose.

Permission to Access personal Information - Image Credits: E Hacking News

In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.

We have already warned you that Facebook is not the right place to watch porn.  Please spread this article and create awareness about the facebook spams.

Update:
We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.

Update 2:
Redirection flow:
Url shortener link-->Google Translator --> fiddle.jshell.net --> plgngl.info -->ngltoken.altervista.org

The whois details of plgngl.info:
  • Registrant Name: Ngl Power
  • Street : Nonteladico 23
  • City : Roma
  • Email address: ngl@live.it

Other Domains registered by the same person:
buzzingcl.info
buzzingam.info
worldwarez.info
2fun4u.info

The 2fun4u.info has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".

The plgngl.info has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.

*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs.  Here, I am sharing with you what we have found.

We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.

He is distributing malicious facebook spam scripts to other cyber criminals.  From our investigation, we found that he is doing the distribution of malicious scripts since 2010.  It appears he is the criminal behind several Facebook spam campaigns.



He has provided malicious script for following SPAM campaigns:
  • "RIHANNA'S BIGGEST SCANDAL", 
  • "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
  • "Busty Heart - The woman that can smash things with her br****ts!"
  •  Man accused of trying to hide stolen TV in his pants 
  • Find Your Facebook Stalkers
  • Dad walks in on daughter... EMBARRASING!!! 
  • This is what Happend to his Ex GirlFriend
  • John Cena  died of a head injury
  • Justin Bieber Sex Tape

Janne found one of the thread posted in the forum by another cyber criminal  "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.



However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.

Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.

One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".

One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx://static.tumblr.com/c5apoln/7Prmiktpx/cena.html? 93561071".  Following the Tumblr link leads us to the "hxxx://plgngl.info/tkn".  Yes it is the same domain used in the recent attack.


Following profiles might be associated with the spammer:

YouTube Profile: hxxx://www.youtube.com/user/nglyt2

Spammer's Blogger

Blogger  : hxxx://www.blogger.com/profile/11389969837864256446


Spammer's Twitter account

Twitter :  hxxxx://twitter.com/ngltw

We are still investigating the campaign.  If we find anything interesting, we will update.

Adriana Lima FuckTape! - Another Facebook spam campaign use New Trick

Here we go, E Hacking News have come across a new facebook spam campaign titled "Adriana Lima FuckTape! ".   I became aware of this spam after few Facebook friends got infected by this campaign.

According to Wikipedia, Adriana Lima is a Brazilian model and actress who is best known as a Victoria's Secret Angel since 2000. (Sorry i didn't know about her before Cybercriminals started to use her name :P )

Unfortunately, i can't post the screenshot of the spam post as it contains adult pictures.  "Adriana Lima FuckTape! Watch: hxxx://xxx-videotube.com/"  The spam post reads.

At first, i thought it is real porn website( The name made me to believe and they didn't use any URL-shortners).  So i didn't follow the provided link and asked friends how users are getting infected.  Suddenly , i realized that it is the spam website ;) 

I followed the link and the website invited me with a gif image mimicking an embedded YouTube video player.   The video player displayed an error message saying "Sorry, you must be 18+ to view this video.  Click to verify".

Here comes the interesting part.  CyberCriminals implemented a new method to trick facebook users.

Once you click the image, it will ask you to "Move the favicon out of the box".  I hope you know what will happen when you follow the instructions-  Your account will be compromised.


When you drag the favicon, it actually drags the URL Opened in the small browser(The url contains the facebook access-token).  You are unwittingly handing over the Faecbook access token to the cyber Criminals.  Using the stolen token, they can post from your facebook account.

This new method is quite different from the previous method used by the spammers in recent spam campaign titled "She went inclusively nuts and lost all control of the razor-sharp axe".