A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Monday, 9 December 2013

Facebook Badness

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):

Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique.  The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?

Clicking the link kicks off the following chain of redirects (HTML decoded etc. where required for readability):

<script type="text/javascript">document.location.replace("http://www.google.com/url?q=http://t.co/20qvT8PKfD&sa=D&sntz=1&usg=AFQjCNFlU9cKPqawD_L5u72sHqGu1FgV6g");</script>

HTTP/1.1 301 Moved Permanently
location: http://762949.com/d32vc6/?=298528


<meta http-equiv="refresh" content="0; url=http://497554.469673.com/fb254735?A=http://762949.com/d32vc6/?=298528">


HTTP/1.1 301 Moved Permanently
Location: http://497554.469673.com/fb254735/?A=http://762949.com/d32vc6/?=298528

HTTP/1.1 302 Moved Temporarily to /

Wow, OK.. so the following just happened:
  • Facebook link bounced the request to google.com using a JavaScript location.replace
  • Google redirects the page to http://t.co/20qvT8PKfD
  • t.co uses a 301 to move the browser on to 762949.com
  • That in turn uses a refresh metatag to bounce us to 497554.469673.com
  • 469673.com bounces us back to the same page with an HTTP 301 redirect
  • That request then puts up a fake Facebook login page (below)

We can't stress enough how important it is to check the URL (highlighted in neon pink!) before you enter your username and password into a website! If it doesn't say https://www.facebook.com with a valid certificate the chances are it's a scam!

Anyway.. typing fake creds into that login page kicks off a post request to 358755.com:

POST /959898/login.php?login_attempt=1 HTTP/1.1
Host: 358755.com
Referer: http://497554.469673.com/fb254735/index.php

This then responds with a 302 "Moved Temporarily" to blogspot.com and displays a random photo of what looks like some happy students on a trip to Paris:

If that picture is displayed, the bad guys now have your Facebook credentials which they can use to post on your wall or send private messages to your contact list which then starts the process over again.

If you use the same email address and password on other websites such as Google or Hotmail the attacker can have a field day using your information to spam out other malware or phishing sites to your contacts!

Needless to say, if the credentials are the same as you use for work and VPN access is gained the consequences could be disastrous! Your company uses 2FA for accessing their network don't they..?

If you've seen this picture of a happy bunch of kids in the past few weeks you may want to think about changing your password ASAP!


  1. You are right and these ideas are very important for us. There must be a proper solution for it. When I used the management assignment help I found some great ideas, but that may be enough to learn new ideas.

  2. You are correct, and these concepts are extremely essential to us. There needs to be a good answer. I found some fantastic ideas when I utilised business management essay help, but that may not be enough to learn new ones.

  3. True, social media will have an impact on you; you will feel insecure. Because we have learnt to compare ourselves to others, I know that someone feels uncertain about themselves at an early age. I simply agree that professional ghostwriting services folks who do not spend much time on social media live more serene lives than those who do.

  4. You are correct, and these concepts are extremely important to us. There needs to be a proper solution. We've learned to compare ourselves to others, and I'm sure that at some point in their lives, someone felt insecure about themselves. As a Graphic Designers in the web design jack I am really thankful to you for sharing this with us.