1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Investigating a technique on Facebook

Discussion in 'FaceBook' started by bartosimpsonio, Sep 30, 2016.

  1. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    So, I'm browsing random FB groups and suddenly this creeps up on my TL:

    creepsup.png

    Hmmmmmmm!!! The two things I love the most. Black hat FB technique and titties!!!!

    Obviously I clicked on it and I was then blessed to have adblock on, cuz it blocked some ads from opening up. Me gusta. So I decide to dig into it. Let's check the domain name.

    No match for domain "XJXJXJXJXJXJX.SITE".
    >>> Last update of whois database: Fri, 30 Sep 2016 11:15:56 GMT <<<

    Ah, they're using that new trick : the unlisted whois servers from these new GTLD's, which make it difficult for competitor analysis and which skews the data on Ahrefs, Semrush and the likes. Nice trick. Fuck it. Unlisted whois my ass. We be blackhats, let's check'em any way.

    Updated Date: 2016-09-26T15:47:08.0Z
    Creation Date: 2016-09-21T15:43:16.0Z
    Registry Expiry Date: 2017-09-21T23:59:59.0Z
    Sponsoring Registrar: Namecheap

    Ah there you are my beauty. It's a 9 day old domain. Obvious throwaway from the U$ 0.88 domains over at Namecheap. Buy it, milk it, throw it away before renewal avoiding the U$ 38 regular price. Clever.

    So what are they doing? How did they get that shit into my group timeline?

    I'll bite. Click and see what kind of headers this thing is returning.

    302 Found
    Connection: close
    Date: Fri, 30 Sep 2016 11:06:54 GMT
    Location: http://XFLICKINGFAKE.site/DAVIDBECKHAM.php
    Server: Apache/2
    Vary: User-Agent
    Content-Length: 0
    Content-Type: text/html
    Client-Date: Fri, 30 Sep 2016 11:06:13 GMT
    Client-Peer: 93.158.212.63:80
    Client-Response-Num: 1
    Set-Cookie: url=AFFILIATECODEWASHERE; expires=Fri, 30-Sep-2016 11:07:54 GMT; Max-Age=60
    X-Powered-By: PHP/5.5.38

    Nice. A 302 redirect to get the affiliate code set. Cookie monster! Cookie set!!!! Me like cookies!

    Now here's the secret sauce. The response to DAVIDBECKHAM.php includes a fucking exploit. That's right, it blows up the browser heap and exploits a buffer overflow. My poor little browser running in the throwaway VM almost got exploited.

    Then comes the interesting part. Below the exploit, there's a author tag.

    <meta property="article:author" content="https://www.facebook.com/bbcnews" /

    And a title tag that looks like this:

    <meta name="description" content="1.688.367 Views" />

    Finally, the url :: <meta property="og:url" content="XFAKEWHATEVER.SITE/ACMESOON.php>

    That PHP leads to the exploit. It's obviously cloaked so FB doesn't see the exploit.

    Conclusion

    The post claims to be from a reputable source, BBC News, it thus appears on your timeline. That seems to do the trick. Also there's some heavy duty cloaking going on.

    You click on it and after setting a tracking cookie, the exploit runs on your computer and your own FB account starts to promote the link like the victim did. The number of views is fake and injected into the image via the og tags so people think it's reputable and click on it too. The domain is a 88 cents throwaway.

    If you use this for noble purposes you can probably think of variations to do it legally, without the exploit and using some of the ideas uncovered during this exploration.

    Disclaimer

    Several members reported the post and Facebook banned it before I posted this.
    Information provided for educational purposes only. If you use this you're a dick and you'll probably get banned and ride in the back seat of a black van in handcuffs.
     
    • Thanks Thanks x 7
  2. judaculla

    judaculla Jr. VIP Jr. VIP

    Joined:
    Oct 11, 2014
    Messages:
    324
    Likes Received:
    118
    Location:
    USA
    Thanks for taking the time to post. Very interesting read.
     
  3. Panther28

    Panther28 Jr. VIP Jr. VIP

    Joined:
    May 2, 2010
    Messages:
    2,529
    Likes Received:
    3,556
    Occupation:
    Internet.
    Location:
    Internet.
    Home Page:
    So did you find tits or what?
     
    • Thanks Thanks x 2
  4. Vampirion

    Vampirion Jr. VIP Jr. VIP

    Joined:
    Mar 8, 2012
    Messages:
    104
    Likes Received:
    23
    Thanks for the info, interesting stuff.
    Will investigate this further, there are some things that can deff. be REALLY useful.
    Quality material man!
     
  5. Shipley18

    Shipley18 Registered Member

    Joined:
    Mar 11, 2015
    Messages:
    79
    Likes Received:
    16
    Gender:
    Male
    Almost genius! Using 'almost' because it looks like the post has been deleted pretty fast. But I guess that it produced some ca$$$h until the ban hammer came.
     
  6. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,027
    Likes Received:
    10,817
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Yup. No black hat SEO. But don't matter, had tits.
     
    • Thanks Thanks x 1