Don’t fall for this Facebook Exploit

So this evening I came across a nicely performed combination of social engineering, phishing, and coding. I was on facebook and noticed that a friend posted something on my wall. On first look it appeared to be a link to the video “charlie bit me”, a popular meme from several months ago.

The link brings you to a profile note which looks like this:




If you click on the “embedded” video you are taken to the following site:
(Chrome warned me about a possible phishing site, your browser may vary)

If you notice the URL bar, the address is youtubecharlie3.tk…obviously a phishing site, but if you don’t look at that part, you notice that “facebook” is asking you to sign in …again. No matter what you put in the box you still get to the video, it’s a pretty transparent scheme. In the end you are still rewarded with “Charlie bit my finger – again !”

It seems that one of my friends had fallen for this ploy and had their account compromised.
Here is what their news feed looked like after being compromised:

Looks like someone really likes that link! …or someone is exploiting the account…124 wall posts back to back, all within the last 12 hours or less. Something looks a little suspicious…

Why do I call this a nice hack?

Well as much as I don’t want to see this go too far from a security perspective, I see three categories in which this “hack” (“an appropriate application of¬†ingenuity”) does a nice job:

Social Engineering

The first aspect you see of this hack is that it appears that someone you know has posted something on your wall. It’s not some third party, one of your friends recommends a link, it must me safe right? After all, it’s not like somebody else posted on your wall, this is someone you know…or so you think.

This hack takes advantage of the fact that you have a level of trust for the person being exploited. Social engineering in its finest.

Phishing

The phishing page is simple, but effectively done. It looks 98% like a standard Facebook login page, the only exceptions being the obvious URL at the top, if you are paying attention to that, and the subtle “Do you want to log in to Embarassing Videos with your Facebook account?” You may also notice that the favicon is a green icon with asian lettering on it, not quite the standard facebook icon, I would have replaced that in about 45 seconds, but that’s me. I’m pretty sure that’s not standard, but with the way the styles fit, it looks natural. I do see that there is a signup page button which links to a broken page. all the other links link back to legitimate facebook pages. It’s a simple, but effective decoy, the biggest giveaway is the url at the top, yet another reason to always keep an eye on that bar, make sure you really are where you think you are.

Coding

On a technical viewpoint, behind the scenes you have a server, that every time it phishes someone’s logon credentials, it saves them, and begins a systematic process of logging onto their account and posting this link to each of their friend’s news feeds, thus self-propagating. I did determine the web site is hosted in Germany, I’m sure the program runs through proxies so that it appears that traffic is coming from all around the world, not just one location in Germany. (otherwise facebook would probably shut it down fairly quickly)

Conclusion

So all that said, I would have to say that this was a well-executed exploit. No, Facebook itself wasn’t hacked, despite what some people may say, but I am sure many user’s accounts have been compromised. Someone out there put an effective exploit together, tying Social Engineering, Phishing, and a good level of technical knowhow together into one package. Congratulations to whoever put this together. I can see it easily being a viral exploit as it only takes one friend to fall for the link and the whole process starts over again. In hindsight, if I were the developer who created this system, I would have used multiple domain names and servers around with different links so they were not as easily identifiable, but I’m sure this is effective enough for them.

As I said before, Nice Hack!

In the meantime, keep yourself safe, watch what you click, keep an eye on that address bar, and don’t forget to spread the word!

Please share this article and keep your friends safe!

Share

Leave a reply