How Facebook Likejacking Can Be Used To Trigger Malicious Scripts.

Facebook Like Jacking is another method of click jacking, where a user clicks a hidden like button that will share a link with the user’s friends without the user’s knowledge.

Although Facebook has reduced the Like jacking incidents, recently there was rise of likejacking scams.Therefor I decided to write a post explaining the mechanisms how these likejacking scams work. I’ve written a post about the malicious Facebook browser extensions that can be found in my old blog.

I’m not going to talk about what is clickjacking and likejacking, I’m going to show the mechanism of how likejacking works and how it can be used to trigger a malicious script once the Like button is clicked.

So a typical clickjacking scam page are most of the time designed to looks like YouTube, Facebook page or video frame to trick the user in thinking it’s a legitimate website, well it can come in any form. The bottom line is the website is designed to trick the users.

So I went to the clickjacking website that’s there in the Naked Security blogpost, and saved it’s code. You can find the HTML code of the website here : http://nopaste.me/paste/14304159654fdd8bd82d01c

Basically it’s a simple website that’s made to look like a video frame, it’s a pretty simple HTML code with some javascripts. If you start looking from the code from the top, the first thing you should see is the meta tags.


<meta property="og:title" content="[VIDEO] Snake Eats MAN!"/>
<meta property="og:site_name" content="[VIDEO] Snake Eats MAN" />
<meta property="og:image" content="http://s15.postimage.org/5ybac4awr/snake_eats_man.jpg" />
<meta property="og:description" content="CAUGHT ON TAPE- A Giant Snake Swallows Up A Zookeeper in Front of Hundreds of People!" />
<meta property="og:type" content="website" />
<meta property="fb:admins" content="38305883" />

These meta tags allow a malicsious attacker to change the picture, title, message of the post that’s being posted on the Facebook time line irrespective of the contents of the website.

Then comes the Like button code, it’s a bit different in this webpage. Usually it’s the same Like button code. Click to see the large image.

However there is a small modification to this code, the like button is hidden with the small CSS trick, so the user won’t know that he’s clicking a like button.


div.transbox
  {
  opacity:0;
  filter:alpha(opacity=0); /* For IE8 and earlier */
  }

So the hidden Like button iframe code will look like this, click to see the large image.

In this website, it’s used like this, click to see the large image.

With the help of some more CSS trick the hidden Like button can be placed near a fake play button image, so that when the play button is clicked, the user will click the hidden Like button and without knowing the user will share the post in his timeline.

Up to here it’s pretty much simple stuff, however there is a small function called “FB.Event.subscribe” let’s a malicious user to trigger an event can be used to trigger a malicious script once the like button is clicked. Most scammers use this to load a survey that will give scammers money. However, this can also be used to trigger a malicious javascript once the Like button is clicked, even if the Like  button is not hidden.

In the following likejacking scam it’s used like this,

<script charset="utf-8" type="text/javascript">
FB.Event.subscribe('edge.create', function(response) {
        window.location = window.money_page;
});
</script>

However, a malicious attacker can modify the script to look like this, this will load a malicious javascript once the like button is clicked. So the victim will not suspect.

<script charset="utf-8" type="text/javascript">
FB.Event.subscribe('edge.create', function(response) {
 //EVIL SCRIPT HERE
 //REDIRECT PAGE
 //MALWARE DOWNLOAD
});
</script>

Advertisements

Flame, Another Weapon of Industrial Cyber Warfare.

My Twitter Timeline is full news about the discovery of the malware called Flame, which was found mainly in Iran and some other middle east countries. This is also another malware targeting particular countries and used for espionage which has some unique features that separates it from other malware like Stuxnet, and Duqu and some features that resembles them.

  • It is a backdoor virus, a trojan virus and also a worm combined, it spreads mainly via USB devices and through networks.
  • It has a complete malware, it can record audio from the mic of the computer, take screenshots and also log key presses and send them to the command and control center. Although there have been malware with such features this is the first  malware to have all these features.
  • Flame malware is large which is 20mb, where most of the malware that are found these days are mostly smaller in size.
  • The malware is highly complex, it has multiple compression and encryption methods to be used for the data sending to the command and control servers.

According to researchers it has some features common to Stuxnet, which targeted nuclear power plants of Iran, Flame is also used for industrial espionage and use the same vulnerability in Windows to infect. This is another example for cyber attacks targeting governments and high-profile targets of countries.

It’s not hard for one to imagine that an average person or a group, because :

  • An average coder or a group can’t create malware with such complexity. It requires a group of highly talented group of people specialized in designing such malware which only very few countries in the world possess.
  • An average person or a group has no need of such a malware to spy on Iran and other Middle Eastern countries other than another country who are keen to keep an eye on Middle East, and only few countries have talent to build such a malware, like US, Israel or China who are famous for its hacking capabilities.

As this article from Reuters points out,

It is the most complex piece of malicious software discovered to date, said Kaspersky Lab security senior researcher Roel Schouwenberg, whose company discovered the virus. The results of the Lab’s work were made available on Monday.

According to Kaspersky the Flame malware has gone undetected for five years which is a pretty long time and if someone or a country can build such a tool five years ago. One can imagine how complex these industrial malware have evolved now, and the tech skills of the builders of Flame could have achived by now.

This also makes a question that how many unknown cyber operations are currently out there happening around the world done by countries, and cyber capabilities of other countries. Because, malware like Duqu, Stuxnet are not malware that are not made and being used by ordinary hackers. According to my friend @ipv10 who is a web researcher herself looking at the distribution and capabilities required to build such a malware the origin of the malware should be non other than USA.

If you are skeptic about cyber warfare, it has already begun. And when other countries are moving fast in the direction of arming themselves with cyber weapons inducing India, all we are doing is hunting perverts on Facebook, time for us to move on improving out cyber capabilities.

You can read Kaspersky’s blog post of comprehensive explanation of Flame malware : http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers