Tuesday, December 14, 2010

FaceBook ClickJacking: A Deep analysis on the Sexy Girl.

This afternoon I found out on my news feed this post:"A sexy girl is playing with the Nintendo Wii.. lets see what happened next !''. I was pretty curios to click on it because I knew this Social Engineering Trap. It is a classical one ;).

So lets click on it using a right click and save the link on memory. Then paste the grabbed Link on a empty browser url and lets go there seeing what will happen ! The crafted page seems very very close to the orignal youtube one, except for the URL (of course! )

If you go to its address (http://www.assurdo.info/w/wii.php) you can easily find some inconsistencies for example: the loading bar appears to be half loaded as soon as you open the attack's link, the commands (Play, Stop, Pause) dont work at all (of course it's a simple image!) and an unusual sentence says: "To play the video click Here". Here we go... another clickjacking site ! I've already wrote about clickjacking in several forums, blogs etc. But if you are not familiar with this technique please read my last paper on this topic here.

Right click on the page and ..... a Javascript is disabling the right click on it, obviously they don't want that we read their code ;). Using the browser capability lets see what the attacker wrote into such a page. The following image describes the first half of the page code. A google Analytics account (UA-18918796-1) is present on the page. The attacker wants to keep tracking on how many people has been clickjacked through his page. A CSS page called "foglio.css" links to external source. Investigating foglio.css we see the page manipulation that happens, as usual, using z-index and opacity parameters, nothing really new.

Following the main HTML code, we meet the core of the attack. The following image describes the second half of the page.
A classic iFrame is used to hide the backgrounded page. I made the same example at DEISNET page, please take a look to them to fully understand how the iFrame hides the backgrounded page.

The most interesting stuff comes from the external Javascript called awe.js. Basically the page intercepts your click, using the fake button "Play" placed in the middle of the screen, triggering the javascript code. Such a code controls if you have already visited the following page (http://bit.ly/fCT54Z), which translated after 3 steps becomes a simple registration form of mymatch. If you had already visited it does nothing, if you had not visited the page it makes you visit it and then it builds a cookies to avoid you visit the page another time. This prevents that google or other advertisement companies think that somebody is attacking the adv services using http proxy.

This trick is widely used in the underground communities to obtain fake clicks to get money from pay-per-click services. The script per-se does nothing bad at all to the attacked user, but it forces you to open a page generating traffic, clicks and page impressions on a URL where you wont click on it. Google and other advertisement companies recognize the click behavior and this techniques is the most used way to fake those services, since the click behavior is not altered from the usual one, respecting the normal click behavior stats.

So if you fall into this attack don't worry, you don't need to change password, you have contributed to a click fraud.

A possible way to counterattack is to make several click on the link the attacker used (http://bit.ly/fCT54Z). By voluntary clicking on it you will change the "normal clicking behavior" which means Google and other adv services will close the attacker adv account. Now is up to you ;)

No comments: