So, I'm browsing random FB groups and suddenly this creeps up on my TL: Hmmmmmmm!!! The two things I love the most. Black hat FB technique and titties!!!! Obviously I clicked on it and I was then blessed to have adblock on, cuz it blocked some ads from opening up. Me gusta. So I decide to dig into it. Let's check the domain name. No match for domain "XJXJXJXJXJXJX.SITE". >>> Last update of whois database: Fri, 30 Sep 2016 11:15:56 GMT <<< Ah, they're using that new trick : the unlisted whois servers from these new GTLD's, which make it difficult for competitor analysis and which skews the data on Ahrefs, Semrush and the likes. Nice trick. Fuck it. Unlisted whois my ass. We be blackhats, let's check'em any way. Updated Date: 2016-09-26T15:47:08.0Z Creation Date: 2016-09-21T15:43:16.0Z Registry Expiry Date: 2017-09-21T23:59:59.0Z Sponsoring Registrar: Namecheap Ah there you are my beauty. It's a 9 day old domain. Obvious throwaway from the U$ 0.88 domains over at Namecheap. Buy it, milk it, throw it away before renewal avoiding the U$ 38 regular price. Clever. So what are they doing? How did they get that shit into my group timeline? I'll bite. Click and see what kind of headers this thing is returning. 302 Found Connection: close Date: Fri, 30 Sep 2016 11:06:54 GMT Location: http://XFLICKINGFAKE.site/DAVIDBECKHAM.php Server: Apache/2 Vary: User-Agent Content-Length: 0 Content-Type: text/html Client-Date: Fri, 30 Sep 2016 11:06:13 GMT Client-Peer: 93.158.212.63:80 Client-Response-Num: 1 Set-Cookie: url=AFFILIATECODEWASHERE; expires=Fri, 30-Sep-2016 11:07:54 GMT; Max-Age=60 X-Powered-By: PHP/5.5.38 Nice. A 302 redirect to get the affiliate code set. Cookie monster! Cookie set!!!! Me like cookies! Now here's the secret sauce. The response to DAVIDBECKHAM.php includes a fucking exploit. That's right, it blows up the browser heap and exploits a buffer overflow. My poor little browser running in the throwaway VM almost got exploited. Then comes the interesting part. Below the exploit, there's a author tag. <meta property="article:author" content="https://www.facebook.com/bbcnews" / And a title tag that looks like this: <meta name="description" content="1.688.367 Views" /> Finally, the url :: <meta property="og:url" content="XFAKEWHATEVER.SITE/ACMESOON.php> That PHP leads to the exploit. It's obviously cloaked so FB doesn't see the exploit. Conclusion The post claims to be from a reputable source, BBC News, it thus appears on your timeline. That seems to do the trick. Also there's some heavy duty cloaking going on. You click on it and after setting a tracking cookie, the exploit runs on your computer and your own FB account starts to promote the link like the victim did. The number of views is fake and injected into the image via the og tags so people think it's reputable and click on it too. The domain is a 88 cents throwaway. If you use this for noble purposes you can probably think of variations to do it legally, without the exploit and using some of the ideas uncovered during this exploration. Disclaimer Several members reported the post and Facebook banned it before I posted this. Information provided for educational purposes only. If you use this you're a dick and you'll probably get banned and ride in the back seat of a black van in handcuffs.
Thanks for the info, interesting stuff. Will investigate this further, there are some things that can deff. be REALLY useful. Quality material man!
Almost genius! Using 'almost' because it looks like the post has been deleted pretty fast. But I guess that it produced some ca$$$h until the ban hammer came.
