Clickjacking Vulnerability Spamming the User’s Facebook Wall


A Polish Security Researcher who works under the name of Lasq, found a malevolent spam campaign that spams the users' Facebook wall by exploiting the vulnerability. The said vulnerability came into his notice after he saw it repeatedly being abused by a Facebook spammer group.

The vulnerability as indicated by Lasq is known to reside in the mobile version of the Facebook for the most part through popups while the desktop version stays unaffected.

The link that is the root of all the spamming gives off an impression of being facilitated in an Amazon Web Services (AWS) bucket and diverts the user to a comic website, after they are requested to confirm their ages in French. In any case, even after the user has tapped on the link and done whatever it requested, it was still found to show up on the user's Facebook wall.

At the point when Lasq researched about this issue he found that the spammers were utilizing codes to abuse the IFrame component of Facebook's mobile sharing dialog. He tested for it then with the popular browsers, like the Chrome, Chromium, Edge, IE, Firefox and every other program which displayed X-Edge-Options error and thusly published a blog post with the technical subtleties. He suspected clickjacking.

Later he gathered that because Facebook had disregarded the X-Edge-Options header for the mobile sharing discourse, the "age verification" popup which displayed prior, skirted Facebook's system.


Lasq reached out to Facebook, yet shockingly they declined to fix the issue contending that it is operating in as intended and the case has been closed within 12 hours from an underlying report and clickjacking is an issue just when an attacker some way or another alters the state of the users' account.

On being reached by ZDNet, Facebook essentially stressed on the part that they are consistently enhancing their "clickjacking detection systems" to forestall spam.


Facebook spam abuses Microsoft Translator

We recently investigated the facebook spam that abuses McAfee URL Shortener and Google Translator and published our report.

Today, we have come across a new facbeook spam campaign that abuses Microsoft Translator for redirecting victims to the spammer's site.  I have come across different variants of this spam campaign within last 24 hours.

The list of variants used in this campaign includes the old profile viewer trick " Profile Viewer version 4.6 : Check who views your profile at link in Description".

Facebook profile viewer spam

Facebook SPAMs

Unfortunately, i can't share the screenshots of other variants as it contains adult images.  So , here i am sharing only the description in the SPAM picture:

  • Look what she did after drinking , Video link in description
  • Looks like she enjoyed it, Video link in description
  • They gone too far 
  •  Massive japanise org* sports, Follow the link to watch video
  • Beautiful girl on facebook, click on the link to know about her
  • Got caught making hot video on cam, Video link in description
  • You can't believe she did it in bus,  Follow the link to watch video
  • Got caught in library, Video link in description
  • "She was seduced by her own uncle, find video link in description
All of the spam posts contain a "j.mp" link (url shortener) that redirects the victim to the Microsoft Translator page.  The Microsoft Translator is abused to hide the original spammer website and is used for redirecting to spammers website.

What's worse about these spam campaign is even security researchers fall victim to the spam.  Today, one of my friend fell prey to a post that promising "Free Gift Card to spend at Starbucks!".  So, it is useless to blame a normal users.  I believe they will realize their mistake once they find them-self victim to the attack.

Please share this article with your friends and spread the awareness about facebook spams.

Stay tuned..! I'm starting my investigation on this new campaign ;) This article will be updated if i find anything interesting.

Adriana Lima FuckTape! - Another Facebook spam campaign use New Trick

Here we go, E Hacking News have come across a new facebook spam campaign titled "Adriana Lima FuckTape! ".   I became aware of this spam after few Facebook friends got infected by this campaign.

According to Wikipedia, Adriana Lima is a Brazilian model and actress who is best known as a Victoria's Secret Angel since 2000. (Sorry i didn't know about her before Cybercriminals started to use her name :P )

Unfortunately, i can't post the screenshot of the spam post as it contains adult pictures.  "Adriana Lima FuckTape! Watch: hxxx://xxx-videotube.com/"  The spam post reads.

At first, i thought it is real porn website( The name made me to believe and they didn't use any URL-shortners).  So i didn't follow the provided link and asked friends how users are getting infected.  Suddenly , i realized that it is the spam website ;) 

I followed the link and the website invited me with a gif image mimicking an embedded YouTube video player.   The video player displayed an error message saying "Sorry, you must be 18+ to view this video.  Click to verify".

Here comes the interesting part.  CyberCriminals implemented a new method to trick facebook users.

Once you click the image, it will ask you to "Move the favicon out of the box".  I hope you know what will happen when you follow the instructions-  Your account will be compromised.


When you drag the favicon, it actually drags the URL Opened in the small browser(The url contains the facebook access-token).  You are unwittingly handing over the Faecbook access token to the cyber Criminals.  Using the stolen token, they can post from your facebook account.

This new method is quite different from the previous method used by the spammers in recent spam campaign titled "She went inclusively nuts and lost all control of the razor-sharp axe".