Thursday, March 17, 2011

Who's behind Facebook clickjacking scams?

Clickjacking is a pretty advanced technique even for security-minded programmers. I guess most of pentesters would have a hard time quickly preparing a robust demonstration of a clickjacking attack. This requires some advanced CSS/Javascript and HTML knowledge. One needs to know how to hide a content or how to make it follow the mouse and account for all browsers quirks. Clearly the guys behind Facebook clickjacking *.info scams have some exceptional skills. Or do they?

Recently I got an email from one of my readers - he analyzed the actual code used in an attack, did some googling around for snippets of it and he found the person that is (supposedly, we have no proof yet) the code author of recent attacks. Meet bhav - and tremble before his mighty coder skills!

Iframe problem
March 2010 - our bhav wants to solve the 'iframe problem' and hide an iframe. Fellow coders quickly help, so he can proceed. But he quickly encounters...

Submit problem
the submit problem and quickly learns the super-stealthy-black-hat-ninja technique of executing Javascript on button click. A few months later he needs the animation:

Redirect divs
What for? In Facebook scams, a scam page displays a "play video" link and waits for the user to click on an invisible like button placed over it. But the click event never reaches the scam page, so usually after a given timeout (e.g. 5 seconds) the page changes anyway, so that the user doesn't notice anything. I've observed this technique in past, now I know where it (supposedly) came from.

Meanwhile, bhav is into reverse engineering and learns about JS packers:
Help understanding symbols

Let's recap. We have a guy who wants to hide an iframe, messes up with some site link-sharing code and learns about timeouts used to change the DOM. Nothing extra suspicious, right? But what about this:
Google Chrome redirect

the share.php iframe and the usage of lpcAutoLike() function? You're being naughty, bhav!

An icing on a cake is he's launching a fan page:

Facebook fan page
That is ... sad. This guy, being clearly a beginner coder, can now be launching Facebook clickjacking scams on a daily basis, making $$$ no matter how small. There are probably dozens of similar stories. On the other side we have:

  • browser vendors - they will probably not "fix" clickjacking as it is not a bug, but a flaw in web itself
  • Facebook users - having no easy way to be protected apart from NoScript
  • appsec guys - sure, I can spend a day analyzing Facebook scams like I did before, but it's the same everytime and no fun either
  • Facebook - reporting this to Facebook doesn't do any good, there is even no abuse@ address, and I found no way to report this after spending 15 minutes in their UI, so I gave up. The most a user can do is to mark an individual scam URL as "spam", but new sites with same code are being launched daily. Facebook, please make a policy on how to report these...
It's just not right and I have no idea how to make it better apart from publishing these posts.

P.S. On the up-side, I've just found some nice info about the other guy I've reported recently:
koto@xps:~$ whois | grep -i '\(email\|server\)' | head -n 5

No comments: