Demystify Facebook Scammer

Screenshot_7

I am sharing so that other would be able to learn from it and make a backup of whole code, you definitely gonna need this.

Here we go:
Recently, one of my friends (Sriram Sridharan) gave me a link to decode some content in the source code.

At first, it appeared, he sent me a malicious link as it was redirecting me to some site containing censored video.

https://melihatnya.info/r3/?636015245399

Just stop it before redirecting, and see the source code. You will get encrypted JS.

http://pasted.co/a4717bf3
pass:cghc#@bch12

Screenshot_9

http://pasted.co/fe0851b3
pass:chjdbvhjds@nfj4

So, what’s the actual aim of this redirection. The guys wants me to install plugin. So i did.

I downloaded the plugin and analyzed it. After review it’s source code, i got another set of obfuscated JS.

http://www.datafilehost.com/d/44782064

After decoding, i got some external links:
one of them is http://grtval.net/

finally, i got this link:
http://grtval.net/d/dufile.js

Open this link and you will get onfuscated JS. Decode it.
partly decoded,,only facebook requests made by hijacker.

http://pasted.co/f8250910
pass:fervr347%23

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s