Who needs exploits when you have social engineering?

Published: 2010-04-29
Last Updated: 2010-04-29 14:51:19 UTC
by Bojan Zdrnja (Version: 2)
5 comment(s)

For last couple of years we have been all witnessing a huge rise in number of social engineering attacks. Rogue/Fake anti-virus programs (see my old diary at http://isc.sans.org/diary.html?storyid=7144) is just one example of such very successful social engineering attacks.

About a week ago a friend of mine e-mailed me about a very suspicious Fan page in Facebook. Since Facebook is so popular, it is not surprising that the bad guys are crafting new attacks that use or abuse various interfaces on Facebook (while we're on that, Facebook has an excellent security team that does not only quickly deals with new attacks/abuses but also has a nice, informative web page at http://www.facebook.com/security that I encourage everyone to check).

Anyway, this suspicious Fan page promised to reveal "The Truth" about text messaging, as you can see in the picture below:

Facebook fan page
So, the user is asked to become a fan. Once that is done a special screen is revealed that contains a bunch of obfuscated JavaScript and the user is asked to copy&paste this into his browser's address bar! You can probably guess what the encoded JavaScript does. Below you can see two screenshots (shortened) – one with the original, obfuscated JavaScript and one with final, deobfuscated JavaScript:

Obfuscated JavaScript

Deobfuscated JavaScript:

Deobfuscated JavaScript

This is what the attackers do:

- first they modify the FB application's HTML (the Truth fan web page that the user adds),
- then they select all contacts (the setTimeout fs[select_all()] call which gets executed after 3 seconds).
- then they invite all user's friends to the group
- finally they display the text in that application

Luckily the final web page, at least when I checked it, didn't contain any malicious code so attacker's goal was probably to create some kind of viral-looking code – similar to clickjacking, but in this case they relied on social engineering and users actually copying their code into the browser.

While I was testing this, I noticed that the javascript: command in browser's address bar works only in Mozilla Firefox and Google Chrome (you can easily test this by writing javascript:alert("test") into the address bar), so the attack didn't work for Internet Explorer users (is that a first ;-). (it wasn't :)
UPDATE: Thanks to all readers who sent an e-mail and those that posted the comments below - Giorgio was right, I tested it in a blank tab in IE and it works without any problems on a page. Now that I think about this attack, it makes it even scarier since the web page had about 100.000+ fans before it got shut down by Facebook!

As this, and many other attacks show, social engineering can go a long way which again reminds us that we must not ignore security awareness.

--
Bojan
INFIGO IS

5 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives