A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Monday, 9 December 2013

Facebook Badness

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):


Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique.  The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?


Clicking the link kicks off the following chain of redirects (HTML decoded etc. where required for readability):

Request
https://www.facebook.com/l/aAQFMeQJkAQHp4S17_anmFlPzVzNCkn2mlTAo8p_68wi5gQ/t.co/MMFgqETmVM
Response
<script type="text/javascript">document.location.replace("http://www.google.com/url?q=http://t.co/20qvT8PKfD&sa=D&sntz=1&usg=AFQjCNFlU9cKPqawD_L5u72sHqGu1FgV6g");</script>


Request
http://www.google.com/url?q=http://t.co/20qvT8PKfD
Response
HTTP/1.1 301 Moved Permanently
location: http://762949.com/d32vc6/?=298528


Request
http://762949.com/d32vc6/?=298528

Response
<meta http-equiv="refresh" content="0; url=http://497554.469673.com/fb254735?A=http://762949.com/d32vc6/?=298528">


Request
http://497554.469673.com/fb254735?A=http://762949.com/d32vc6/?=298528

Response
HTTP/1.1 301 Moved Permanently
Location: http://497554.469673.com/fb254735/?A=http://762949.com/d32vc6/?=298528


Request
http://497554.469673.com/fb254735/?A=http://762949.com/d32vc6/?=298528
Response
HTTP/1.1 302 Moved Temporarily to /



Wow, OK.. so the following just happened:
  • Facebook link bounced the request to google.com using a JavaScript location.replace
  • Google redirects the page to http://t.co/20qvT8PKfD
  • t.co uses a 301 to move the browser on to 762949.com
  • That in turn uses a refresh metatag to bounce us to 497554.469673.com
  • 469673.com bounces us back to the same page with an HTTP 301 redirect
  • That request then puts up a fake Facebook login page (below)


We can't stress enough how important it is to check the URL (highlighted in neon pink!) before you enter your username and password into a website! If it doesn't say https://www.facebook.com with a valid certificate the chances are it's a scam!

Anyway.. typing fake creds into that login page kicks off a post request to 358755.com:

POST /959898/login.php?login_attempt=1 HTTP/1.1
Host: 358755.com
Referer: http://497554.469673.com/fb254735/index.php


This then responds with a 302 "Moved Temporarily" to blogspot.com and displays a random photo of what looks like some happy students on a trip to Paris:


If that picture is displayed, the bad guys now have your Facebook credentials which they can use to post on your wall or send private messages to your contact list which then starts the process over again.

If you use the same email address and password on other websites such as Google or Hotmail the attacker can have a field day using your information to spam out other malware or phishing sites to your contacts!

Needless to say, if the credentials are the same as you use for work and VPN access is gained the consequences could be disastrous! Your company uses 2FA for accessing their network don't they..?

If you've seen this picture of a happy bunch of kids in the past few weeks you may want to think about changing your password ASAP!

No comments:

Post a Comment