Archived Blog

Facebook Viral Social Networking Spam

08.18.2008 - 5:00 PM

Websense Security Labs has been tracking various Facebook attacks for many years. We've had to create numerous tools and methods to detect these types of attacks because most Web 2.0 social networking sites are difficult to track due to limited public access to most accounts. Most social networking accounts can only be viewed if the account holder explicitly accepts or requests another account to be added as a "friend". A generic Web crawler and even a search engine Web crawler would not be able to mine the pages on a social networking site due to lack of permission.

We've used our HoneyJax system , which we've spoken about in the past, to track malicious activity in the social networking world.

The attacks on Facebook and MySpace in the last few weeks have been very interesting, but attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now.

To give you an example of an attack that has been going on for over six months, we've shown a recent Facebook phishing email that our Honeyjax system picked up this weekend.

Figure 1: Malicious Facebook email message

As you can see from the above email. A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high.

The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam.

Figure 2: Malicious message written on Facebook wall

Like most malicious Web pages these days, the source code of the blogspot Web page is obfuscated. De-obfuscating it shows us that they are using javascript to change the URL location and automatically redirect a user to the phishing site.

Figure 3: Obfuscated source code found on blogspot Web page

Figure 4: De-obfuscated content indicating a redirection

Figure 5: Automatic redirection to Facebook phishing page

Figure 6: Registration info for Facebook phishing domain

Interestingly enough, this particular attack has been going on for over six months. The phishing URL above was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages. 

Figure 7: DNS records of Facebook phishing page

We've received multiple inquires from our readers as to how this attack is spreading. The answer is simpler than you'd expect: viral social networking. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world.

As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.


Security Researcher: Stephan Chenette


Bookmark This Post: