Facebook scammers go back to using Javascript

As users become accustomed to ignoring one particular scam approach — and as Facebook is becoming more adept at spotting and blocking the rogue applications — the copy/paste script one is making a comeback.

The most popular lure used by these scammers is the undying “See who viewed your profile” offer. The landing page could be a Facebook one or one hosted on another domain, and it asks the user to copy some Javascript into the browser address bar and press “Enter.” Once the directions are executed, the user is asked to fill out a survey in order to finally get the results. In the meantime, the Java script does its job. “Depending on the configurations of the attacker, the script will post a new bait message to the user’s wall, send chat messages to friends, tag you in post messages or images, or even create an event and send an invitation to all your friends,” Symantec explains. “Of course as always the attack is easy configurable through a toolkit. Since the script runs in the context of Facebook and uses your open session it can do a lot with your profile, it can do nearly everything you could do yourself.”
Source: http://www.net-security.org/secworld.php?id=10987