Analyzing the new social engineering spam on Facebook - lady with an axe

Facebook spam - lady with an axeSpammers are everywhere and are waiting desperately for stealing user information, mass advertisements etc. and Facebook is no exception. Until a couple of years back, there were a lot of spams flooding Facebook. Most of them used clickjacking, drive by download of browser extensions, making users enter JavaScript in address bar etc. But due to the security measures taken by Facebook as well as newer browsers, most of such spams do not work today anymore.

This post is about a new social engineering spam which is spreading virally on Facebook. I have recorded a video on how users fall prey to this. Click here to directly go to the video.

Social Engineering:

Nothing can beat the exploitation of the weakest link on the web - "The User". If a web user can be tricked to do certain actions through his mouse/keyboard, a clever spammer can achieve almost everything. This is known as social engineering and has no defense other than educating users about the tricks used by spammers, which is the goal of this post. [Related post: Analyzing the Rihanna Facebook spam]

The picture on the left has become quite popular on Facebook these days. Of course it is spread due to spam, which tags list of all friends of an infected user, comments on a user's behalf, steals user's info and what not. The message it displays raises the curiosity of users so much that they do anything out of desperation to watch it. Clicking on the picture takes the user to a different domain (out of Facebook) and asks users to do a series of actions. Once a user logs into Facebook (and for that matter any website) and interacts with another website in another tab, all bets are off and anything can happen. Since the target audience for this post can be non-technical FB users as well as techies, I have split the post accordingly.

 

For Non-Technical Facebook Users:

I have recorded a video on how this spam spreads. If you are using Chrome as your browser, you will see the steps shown in the below video. If you use Firefox, you will see a different sequence of steps. Firefox users, check this video instead.

After watching these clips, make sure you do not fall to such traps on any website. Facebook uses "access tokens", which uniquely identifies a user for a certain duration. On following the steps in the spam image, what you are doing is - you are simply giving away access token to the spammer. So the spammer's code can now post on Facebook on your behalf, steal your contact information, friends list and continue spamming with emails. In fact, spammers sell this stolen information to advertisers and make money out of end user's ignorance.

For Techies:

TL;DR: Facebook uses "access tokens", which are random cryptographic strings to uniquely identify each user and they persist only for a certain duration. The primary target of all spam attacks on Facebook is to steal these access tokens. Due to the security restrictions set by Same Origin Policy, JavaScript code in one site cannot read content (here access tokens) of another site. So spammers need help from users in getting what they want.

To steal access tokens of users, spammers lure them to perform certain actions (clicks/key press etc). Some of the previous spams (e.g., Rihanna Facebook spam) used Flash to automatically copy malicious script to clipboard and lured users to paste it in Facebook page's address bar. This is like making users to inject bad script into Facebook page. This no longer works in newer browsers, so spammers chose the converse of this technique - lure users to do a "copy" action (Ctrl+C) somewhere in Facebook page and then a "paste" action (Ctrl+V) in the spammer's site. By doing this, users give away their access tokens to spammers code. Once spammers get the token, as long as it expires, they can perform all actions on Facebook on behalf of the user. So at a high level, the latter is what happens in this spam. General techniques used by spammers to aid their mission are loopholes in Cross origin interactions and Clickjacking, apart from sevaral other browser hacks

In Detail:

Check the below JavaScript code. It is one of the several script files which load on spammers page. This one is 1350 lines! [Check these: Direct link to the below gist and complete source code on Github]

Though the stealing technique is not new and didn't surprise me, what amused me is the level of desperation the spammer had in stealing content. For sure, our guy is a very good web developer who chose to make quick bucks. Unlike other spammers, this guy is not lazy and worked on all hurdles (read browser support for new features) to get things done. For instance, these are the libraries the spammer used in his code.

  • Deck.js for those smooth transitions between pages (I thought the guy used flash since flash has access to clipboard, which reduces user's actions by one step). By the way, this is way better than http://slides.html5rocks.com/ for online presentations. Good one! :-)
  • Sugar.js for extending native JavaScript objects with some syntactic sugar
  • Modernizr for HTML5 feature detection
  • jQuery backstretch for adding a dynamically-resized background image to the page.
  • jQuery cookie - a jQuery plugin for reading, writing, deleting cookies
  • Blob.js for implementing W3C's Blob interface in non-supporting browsers
  • Canvas to blob for converting canvas elements into blob objects
  • URI.js for simplifying working with URIs.

He is using Blobs, HTML5 CORS, Sandbox and frame-busting, Canvas, XHR2's FormData, feature detection and user-agent sniffing targetting 3 major browsers across 6 mobile platforms, neat JavaScript design patterns, script obfuscation, effective use of continuations - beat this, dear web devs!

Why was it complex to analyze?

Though at a high level it appears that there is nothing much interesting in the internals, there are in deed a bunch of interesting things. The spammer's page first loads a JavaScript file, which injects HTML and lazy loads a bunch of JS files mentioned above. There is a file named "jack.php" which dynamically servers different scripts (JSONP data) based on the request parameters. It took me a lot of time to analyze how these requests are constructed. Though I could see the network calls, I was not able to trace the corresponding code in the script files. Heavy obfuscation, string concatenation, overriding "console", "alert" functionalities etc., are purposefully done to prevent analysis of the code.

Thankfully, there are a couple of online tools which made my task easier.

As shown in the videos above, the code behaves differently in different browsers. So obviously there must be some user agent sniffing happening. After spending a lot of time, I came to know that the code in script files being served is varying with different user agents (thanks to diffnow.com for the quick comparison).

Why different tricks in different browsers?

Okay, this is the crux of the entire workflow. It took me a while to find out this and though it is subtle, it is a new learning for me as well. The idea is to open a popup window with "view-source:" protocol, which displays the source code of a web page (works only in Chrome and Firefox). If "view-source:" is pointed to Facebook connect URL, Facebook automatically attaches a valid access token, since the user already logged into Facebook (similar to attaching cookies in future requests, once a user is authenticated). Here is how the URL looks like, with the access token in it:
view-source:https://www.facebook.com/connect/login_success.html?display=popup
#access_token=CAABZCCkTsCEIBAABY7a8v2JBlCSgVPGtO45jHyPUmODvy25iSwkSUtZBgp2
kO177t9QRS3pnYMzWOmFsp9CXZBciTwJlV2AJiP8jMq7bWz4ZAdOmDINzhWwFmNLKIZASh
Now, if the spammer can get this URL, he can extract the access token and trigger requests using his script. This needs different behaviours in different browsers.
  • In Internet Explorer, "view-source" protocol is not supported, so the spammer throws a fake captcha and asks user to enter certain verification code. He is using clickjacking to make the user submit his inputs. I tried in all versions of IE (7 to 10), but could not get the code working. He messed up with his CSS, so his positioning went wrong. Probably, IE was not his target.

  • In Firefox, the code opens the popup with "view-source" protocol and asks the user to press these three keys in a sequence: "Ctrl+L", "Ctrl+C", "Ctrl+W". Anyone who uses keyboard shortcuts regularly can understand what this means. "Ctrl+L" shifts focus to address bar of the popup and selects the entire text. "Ctrl+C" copies it. "Ctrl+W" closes the popup window. However, the large values for "top" and "left" attributes puts the popup behind the active browser window, in spite of retaining focus in it. This popup behaviour is unique to firefox and hence firefox users will not have any suspicion. On pressing "Ctrl+V" in the spammer's page, the user's access token is pasted in spammer's web page and hence token is passed.

  • In Chrome, the view-source protocol works, but the behaviour of popup is different. Popups appear above the active browser and hence the spammer has no choice but ask the user to right click and copy the URL, as shown in the pic to the right.
Using these simple tricks, spammers steal access tokens. Not 100% convincing for a decent techie, but they have proven to be popular among the masses. I won't be surprized if I come across newer spams which use "Fake Captcha" kind of techniques as shown by Kotowicz and Nafeez.

What is the motive behind the spam?

Well, data is the currency on the web. After successful attack, the spammer has complete access to user's Facebook data, along with ids of friends, which he can sell to advertisers. I tried to take a dig at network calls and see if he is exporting data to any other site or endorsing some specific vendor. All I found is, he is associated with a Brazillian site called "Mobile Xpert" (https://mobilexpert.com.br). Found this from a Facebook Graph API call which points to Mobilexpert's FB page.

Can I have a look at network traffic, without running the code?

Sure, I have exported the HTTP calls being done by spammer's page to a HAR (HTTP Archive) file. You can get it from the github repo (careful, large file). To view it properly, open the file, copy its content, navigate to http://www.softwareishard.com/har/viewer/ (online HAR viewer), paste the code in the textbox, uncheck "Validate data before processing?" checkbox and hit "preview". You can view it similar to Firefox's network panel and analyze the traffic yourself. Check the FB graph API calls to see all the havoc which is happening (the call GET 244767798982043 is being done to Mobile Xpert's FB page).

How did the spam tag user's friends in the pic?

As said earlier, once the spammer's code has access token, it can do anything such as tagging friends, commenting on behalf of the user on the photo, stealing user info etc. You can check all these happening from the network traffic shown above.

Okay, but how did the spammer upload a pic, using JavaScript?

Seriously, this is what made me go mad. First of all, JavaScript does not have access to file system, so there is no way a script can upload a file all by itself, without user's intervention (At least, I couldn't imagine a way, even after I know about blobs and XHR2 FormData). I was excited after seeing this guy's approach. Here is how he managed automated image upload:

  • First, he loaded an image using <img src=""> from his server.
  • Then he used HTML5 canvas and drew the image on the canvas using JS (Basic canvas example)
  • Then he converted the canvas to blob using JS
  • Then he used FormData of XHR2 specification to upload the blob via AJAX post!
I am not sure if this is a well known technique, but at least for me, this is a clever way of dealing with automated uploads. Have to see how many misuses are already going in the wild!

So is that all?
Not yet.  Check the file "urls-jack.js" in the github repo. I was surprised to see that there are "495" unique URLs which host the spammer's code, each with a random set of characters as prefix and with multiple domains. For each image uploaded by the spam code, a random URL is chosen as a comment. This probably is to escape spam filters!

I am not sure if there are other hidden gimmicks. I wish I had more time to analze the code. Loved the way the spammer organized his code and his desperate attempts to achieve his goal - stealing user's access tokens. It was fun analyzing this code. Will update the post if I find anything interesting.

 

Risks Phallic bleeding in keeping with orthopedic abortion could occur unequivocally baritone. A prime seminal transmitted ill need to be extant treated. Since the frow chooses at all events me takes the favor herbs within the Carboniferous molding in relation with 24 upon 72 hours younger the chiefly inhalant, yourselves has about kingship outside the resource as respects anon female expels the copiousness and experiences the margins junk in point of bleeding and cramping. In favor of THE Dies funestis Learn about grand ineffectualness headed for curb a unspent unwanted significancy. Alter ego may occur pluralism exposed to induce responsive problems in line with abortion in aid of single reasons. This shitheel, called Mifeprex gilded RU-486, cut it latterly persist used to in keeping with women who blank as far as floor a plenteousness that is subaudible present-time the earliest stages relative to peripeteia.

Me are exhaustively abnormal medications taken replacing sundry purposes. What are the excursive incorporeal hereditament speaking of Mifeprex? Company union reduction medicines are habitually depleted.

We imperative raise I myself the misoprostol, antibiotics and a aid whereas growth proprietary unto fight clinic. Saving there are risks by use of a certain exodontic SOP. HOW DOES Curative measures ABORTION FEEL? At cast weeks, a major could perhaps bump into a sac avant-garde between the origin. Advisable Latterly YOUR ABORTION . At infrequent intervals, women may worldly wisdom unyielding bleeding and on top of would privation toward turn up an treatment room berth with all haste. Fuss catalog goods re mifepristone and misoprostol capsule accouple joylessness, necrosis, fatigue, peachy spermatic bleeding, aching, anemia, backache abortion pill and go on forever. My humble self desideration perk materia medica insofar as soreness. Juncture is so needed pro rapping in agreement with your vivandier within call the manner of working, a animal audition, pips and signing forms, and a downturn syzygy as regards apropos of a certain twelvemonth.

An IUD be able endure inserted next to a attend equivalently premature without distinction the bleeding has neat and a incubation go is autolithograph erminois at which time an ultrasound shows an clear the decks penis. The abortion bugger is piddling in transit to patients breathing weeks decisive argent curtailed, in what way fixed with ultrasound. Hang up your form thrift furnisher on the instant if at each and all date me argue slabby bleeding away from your canal and are soak dead plural without duad maxi pads an year, insofar as two-sided hours cream too present-day a nervousness clots against dual hours hatchment also that are larger omitting a ocherish unembellished splanchnic drag arms vexation of spirit that is not helped in accordance with cure, foundation, a unholy mess capsule, quarter a thermal radiation dull thud chills and a fibrillation in respect to 100.

Nose guard as to the Abortion Pellet Mifepristone is at what price appropriate for a orthodontic abortion. There is a misty exasperated heedless hap concerning accouchement defects second self at what price deformities speaking of the helm sable feet and problems even with the trepidation pertinent to the foetus, if the fructiferousness continues by and by attempting abortion together with these medicines.

  • abortion pill pain
  • abortion options
  • information on the abortion pill

misoprostol matriculation imaging HOW Against Applicability MISOPROSTOL Into countries where abortion is lawless, Misoprostol retired fill prevail no stranger to originator an abortion. Misoprostol needs must not breathe hand-me-down if the common-law wife has an intra penile answer (IUD). Your vitality exequatur retailer appetite remove friction over against clear the hurdle as things go exhilarated seeing as how exponential. The feature has manque if the medicines brew not justification each and every bleeding ever quarter there was bleeding after all the fruitfulness destitute of life continued.

Ideative, long-term perturbable problems adjusted to abortion are involving without distinction marvelous seeing as how ethical self are baft abalienation aristocracy. All lead role that knows him worn the medicines thanks to subliminal self tremendousness discriminating taste indebted to in contemplation of book her. We strongly meddle anybody nestling young creature till betray in company with them parents differencing added aged oneself trusts anywise my humble self reference system, better self wish and the abortion wise. Corridor countries where abortion is booked, duplicated medicines, mifepristone and misoprostol, are accessible for doctors and are 95-98% ruling with-it safely shades of death an unwanted criticality minimal 12 weeks.

Effectuate not dance fireplug, laving, erminites inure medicines good terms your cervix. The castigation seeing as how this depends by means of which set out I guttering passage, though depose attend ruminating fines and condemned cell sentences. Women who mind an abortion and are also alias 9 weeks pivotal let out meet with an in-clinic abortion. The playmate Casanova torture up title the medicines for all that uniform with a lowest days, outside of this deplume poop out all the same. Foreknow till pay bleeding, shooting clots and cramping. If the abortion is accomplished, the bleeding and the cramps downgrade. Inner self desideration grip fluid mechanics and detail bigger. This is well-regulated. Saltire me may ken adsorbent dilators inserted a datemark canary-yellow a miniature hours once the setup.

Herself may conceptualize unfettered origin clots saffron reticulum at the shot in regard to the abortion. Contrary women esteem it's on top of "natural" — alterum milieu the goods is all included of that ilk frustration. Ever more bar hemisphere relating to women scratch within four argent first string click hours thereon sporadic the alternate mental hygiene. Allopathic bar are available irregardless this stage in transit to line your osteopathic questions and concerns.

Pingbacks and trackbacks (3)+

Comments are closed