by David Michmerhuizen – Security Researcher
If you’re a regular Facebook user, you’re used to questionable links in your friend feed. Links to apps you don’t want to run. Links to quizzes you don’t want to take. Links to cause pages you don’t care about. Links to videos you probably shouldn’t look at. They spread by tricking you to press ‘like’ or ‘add’ before they show you what they offer.
All typical stuff, except that Barracuda Labs has seen something unusual in the first week of March – a huge “likejacking” campaign that has fooled many otherwise careful Facebook users and illustrated just how a truly serious malware attack could leverage the
Open Graph API to spread virally through Facebook.
While likejacking is not new, this campaign is particularly well done. It succeeds because clicking on video links on your friend feed is a very natural thing to do. More than a few of our otherwise tech-savvy friends (who should know better) were taken in by this scam. It starts with a link in your friend feed from someone you trust…
Malicious post in Friend Feed
The post appears to be a link to a video, nothing unusual. Clicking on it takes you off from Facebook onto a domain that presents a page very similar to a YouTube video, except with a logo that reads “FouTube”…
Fake “FouTube” page
The site combines HTML and Javascript with special Facebook-specific markup to create a large ‘like’ button that looks like a video playback window. The markup is Facebook’s Open Graph API, and it is used to tell Facebook that the scam site (girl-gets-caught.info) should be added to Facebook’s “social graph” just as if it were a page from the Facebook site.
Open Graph API Markup
It bears repeating – a ‘like’ button is implemented in code. The only thing that makes one look like the usual Facebook ‘like’ button is Facebook’s Terms of Service, which state that a ‘like’ button must use an approved style.
The code you see here has two functions.
First, as shown below, is to ‘like’ the page so that a link to it appears on your wall and in the friend feed of all of your friends. This spreads the campaign virally and with if the subject videos are appealing enough the links to the scam page can spread to many thousands of users in a very short time.
Malicious HTML and JavaScript
Indeed, clicking on the video posts a link to the scam page on Renee’s wall
The scam posted to your Facebook wall
The second function of the code is the true aim of the campaign, which is to direct visitors to a series of ’surveys’ which indiscriminately pitch products, harvest personal information and attempt to subscribe the unwary to premium-rate SMS services. This is where the scammers make their money.
The start of the scam surveys
(More survey scam pictures
here,
here, and
here. ) If you wait for 60 seconds the underlying page continues on to display a relevant YouTube video.
A partial list of domains involved (careful, some may still be active) shows the effort that went into the social engineering aspects of the campaign.
Partial list of domains used
This sort of likejacking has been going on for quite awhile, and the campaigns are almost always used to deliver users to ’survey’ sites. In the case of the fake video page described above the survey poses as a hurdle to pass to be allowed to see the video. The survey itself is generally harmless provided that you don’t answer it, and the Facebook ‘like’ is embarrassing but easy enough to fix. Facebook removes these posts after the fact, usually within hours.
The example above shows that Open Graph gives survey distributors easy access to Facebook, turning a low-level scam spread via email and forum spam into a huge viral success for the scammers.
What is especially troubling about this is what could have happened. Rather than deliver a scammy survey, malware distributors could easily attempt a series of silent exploits against the browser and it’s plug-ins, followed by a quick redirect to a real video. That sort of attack could spread real malware such as the Zeus or SpyEye password-stealing trojans to thousands of Facebook users in a very short period of time compared to other methods. Even worse, many of those backdoors and password stealers would be installed inside of business networks who allow their employees to use Facebook in their ‘free time’.
Barracuda Networks recommends you take particular care when using facebook. If friends post links, make sure you trust the destination domain before following the link.
Barracuda Web Filters also allow the selective blocking of Facebook within the organization.