We've used our HoneyJax system , which we've spoken about in the past, to track malicious activity in the social networking world.
The attacks on Facebook and MySpace in the last few weeks have been very interesting, but attacks on Facebook and MySpace are nothing new. There have been continual, targeted Facebook attacks for some time now.
To give you an example of an attack that has been going on for over six months, we've shown a recent Facebook phishing email that our Honeyjax system picked up this weekend.
Figure 1: Malicious Facebook email message
As you can see from the above email. A very enticing email was sent to one of our test accounts, letting us know that something had been written about us, and that we'd probably want to read more about it. An average user would probably want to know what was written about them, especially because it's on a public blog such as blogspot. Most users have an enormous amount of trust in their fellow Facebook friends. So, the chances of a user clicking on one of these emails is tremendously high.
The attackers in this case were able to legitimately have Facebook send a spam email by compromising an account that the test user was "friends" with, and writing a comment on the test user's wall. Writing on the wall triggered an automatic email to the test user's email account with the message that was written on the wall. So, in this case Facebook wall writing is being used as a mechanism to send spam.
Figure 2: Malicious message written on Facebook wall
Figure 3: Obfuscated source code found on blogspot Web page
Figure 4: De-obfuscated content indicating a redirection
Figure 5: Automatic redirection to Facebook phishing page
Figure 6: Registration info for Facebook phishing domain
Interestingly enough, this particular attack has been going on for over six months. The phishing URL above was registered in July 2008, but several domains have been used in this ongoing attack. It's nameserver is responsible for a load of other phishing domains, including numerous MySpace phishing pages.
Figure 7: DNS records of Facebook phishing page
We've received multiple inquires from our readers as to how this attack is spreading. The answer is simpler than you'd expect: viral social networking. Users are clicking on these links manually, either when they receive them in email or read them on their walls. They click on the link, get redirected to a phishing page, and manually input their credentials. Attackers are then using their credentials to post manually and perhaps automatically to their wall, as well as their friends' walls, allowing them to spread within the walls of the social networking world.
As social networking sites become the place where the majority of Web users are spending the majority of their Internet time, we're going to see more and more MySpace, Facebook, and other social networking attacks. Web 2.0 Web sites open up a huge attack vector to exploit transitive trust. Attackers know it, and are actively taking advantage of it.
Security Researcher: Stephan Chenette