Investigating a technique on Facebook

bartosimpsonio

Elite Member
Executive VIP
Jr. VIP
Joined
Mar 21, 2013
Messages
24,202
Reaction score
30,884
So, I'm browsing random FB groups and suddenly this creeps up on my TL:

creepsup.png


Hmmmmmmm!!! The two things I love the most. Black hat FB technique and titties!!!!

Obviously I clicked on it and I was then blessed to have adblock on, cuz it blocked some ads from opening up. Me gusta. So I decide to dig into it. Let's check the domain name.

No match for domain "XJXJXJXJXJXJX.SITE".
>>> Last update of whois database: Fri, 30 Sep 2016 11:15:56 GMT <<<

Ah, they're using that new trick : the unlisted whois servers from these new GTLD's, which make it difficult for competitor analysis and which skews the data on Ahrefs, Semrush and the likes. Nice trick. Fuck it. Unlisted whois my ass. We be blackhats, let's check'em any way.

Updated Date: 2016-09-26T15:47:08.0Z
Creation Date: 2016-09-21T15:43:16.0Z
Registry Expiry Date: 2017-09-21T23:59:59.0Z
Sponsoring Registrar: Namecheap

Ah there you are my beauty. It's a 9 day old domain. Obvious throwaway from the U$ 0.88 domains over at Namecheap. Buy it, milk it, throw it away before renewal avoiding the U$ 38 regular price. Clever.

So what are they doing? How did they get that shit into my group timeline?

I'll bite. Click and see what kind of headers this thing is returning.

302 Found
Connection: close
Date: Fri, 30 Sep 2016 11:06:54 GMT
Location: http://XFLICKINGFAKE.site/DAVIDBECKHAM.php
Server: Apache/2
Vary: User-Agent
Content-Length: 0
Content-Type: text/html
Client-Date: Fri, 30 Sep 2016 11:06:13 GMT
Client-Peer: 93.158.212.63:80
Client-Response-Num: 1
Set-Cookie: url=AFFILIATECODEWASHERE; expires=Fri, 30-Sep-2016 11:07:54 GMT; Max-Age=60
X-Powered-By: PHP/5.5.38

Nice. A 302 redirect to get the affiliate code set. Cookie monster! Cookie set!!!! Me like cookies!

Now here's the secret sauce. The response to DAVIDBECKHAM.php includes a fucking exploit. That's right, it blows up the browser heap and exploits a buffer overflow. My poor little browser running in the throwaway VM almost got exploited.

Then comes the interesting part. Below the exploit, there's a author tag.

<meta property="article:author" content="https://www.facebook.com/bbcnews" /

And a title tag that looks like this:

<meta name="description" content="1.688.367 Views" />

Finally, the url :: <meta property="og:url" content="XFAKEWHATEVER.SITE/ACMESOON.php>

That PHP leads to the exploit. It's obviously cloaked so FB doesn't see the exploit.

Conclusion

The post claims to be from a reputable source, BBC News, it thus appears on your timeline. That seems to do the trick. Also there's some heavy duty cloaking going on.

You click on it and after setting a tracking cookie, the exploit runs on your computer and your own FB account starts to promote the link like the victim did. The number of views is fake and injected into the image via the og tags so people think it's reputable and click on it too. The domain is a 88 cents throwaway.

If you use this for noble purposes you can probably think of variations to do it legally, without the exploit and using some of the ideas uncovered during this exploration.

Disclaimer

Several members reported the post and Facebook banned it before I posted this.
Information provided for educational purposes only. If you use this you're a dick and you'll probably get banned and ride in the back seat of a black van in handcuffs.
 
Thanks for taking the time to post. Very interesting read.
 
Thanks for the info, interesting stuff.
Will investigate this further, there are some things that can deff. be REALLY useful.
Quality material man!
 
Almost genius! Using 'almost' because it looks like the post has been deleted pretty fast. But I guess that it produced some ca$$$h until the ban hammer came.
 
Does that domain has any website?
For what they doing this shit?
How the guy was making $ just from the domain?
 
Last edited:
If you use this you're a dick and you'll probably get banned and ride in the back seat of a black van in handcuffs
Which part of that process can get you arrested? Is it just the hacking and unauthorized sharing of the link on the user's profile?
 
I think this is already dead, because this thread is 1 yr. old and fb made updates.
 
Which part of that process can get you arrested? Is it just the hacking and unauthorized sharing of the link on the user's profile?

It is a standard disclaimer of liabilities. A post for educational purposes only.
 
Back
Top