Monday, September 26, 2011

Protect your self against Facebook spam: Zscaler Tool for "LikeJacking" Protection

Facebook widgets, including the "Like" buttons, are often used to spread spam and propagate scams. Typically, the scammer creates a page with a fake video player. Users are tricked into clicking on Facebook Like buttons hidden behind a fake Play button. This is called Likejacking, and it's a specific form of clickjacking. I have posted a Youtube video showing in June that explains how these Facebook widgets are disguised.

I previously posted a bookmarket - a piece of JavaScript that can be executed on any page to display hidden Facebook widgets on the page. I wanted to go a step further and offer good protection against Likejacking, or any type of clickjacking with Facebook widgets (Facebook comments, Facebook login, etc.).

You can install the free Zscaler Likejacking Prevention tool for Firefox, Google Chrome and Safari. The extension offer 2 primary features:
  • Information about the page: does it contain Facebook widgets? Are these widgets hidden?
  • Protection against hidden widgets: the application requires explicit confirmation from the user when clicking on a Facebook widgets on a suspicious page


Page information

On Firefox and Chrome, an icon is displayed in the URL bar when a page contains at least one Facebook widget. If the page is suspicious, meaning hidden widgets were detected, the icon has a red background. You can use http://www.zscaler.com/research/plugins/likejacking/example.htm as an example of a suspicious page.

Suspicious page found in Firefox
If the page is safe, meaning the widgets are not hidden, the icon background is green. This allows users to have a quick understanding of the safety of the page.

Safe page found in Chrome
Safari has the same functionality, but uses a toolbar instead of an icon.

Suspicious page found in Safari

You can obtain more information on the page -- either by clicking on the icon, or "More options" in Safari -- including:
  • how many widgets were found on the page
  • whether the page is suspicious or not
  • what protection was applied on the Facebook widgets

Information, and actions, for a page with Facebook widgets (Chrome)
The popup (Chrome), or toolbar (Safari and Firefox) also let users take some action on the page: they can whitelist the current domain (see more below), manage their preferences, or display the hidden Facebook widgets on the page.

You can also report back to Zscaler, any page that was classified improperly by clicking on "Report an error". This will open a new tab in your browser and  send you to a form on the zscaler.com website. We will use this information to improve the add-on.

Display hidden widgets

As you can see in the Youtube video, it is possible to expose the hidden widgets. The extension can modify the source of the page (opacity, height, weight, z-index, overflow, etc.). You can try this feature on http://www.zscaler.com/research/plugins/likejacking/example.htm.

Hidden Like buttons exposed in Firefox
Explicit confirmation

You can choose your level of protection in the preferences:
  • Delete all Facebook widgets - Choose this option if you never use "Like" buttons on external sites. You can always whitelist a domain to keep the widgets on a particular site.
  • Always ask for explicit confirmation - A popup will warn you that you clicked on an element that is trying to post to your public profile. You can decide to stop the action, or to let the page post to your profile. This is a good option if your rarely click on "Like" buttons.
  • Ask for explicit confirmation only on suspicious pages with hidden widgets - This is a good balance between security and productivity. It is the recommended setting.
Explicit confirmation in Safari
You can also whitelist domains so that no protections are applied on a given site. The popup, or toolbar, can show you what action was taken on a page -- for example confirm, remove, or ignore (no protection applied).

Extension preferences in Chrome

Some notes

The extension does not affect the ability to use the main Facebook site; it protects users only on other sites that use widgets from Facebook.

Some Facebook widgets are hidden by design. This is normal, and the the extension will not list them as suspicious and will not apply any protection on those.

I will post another blog on the process of creating the plugin for different browsers to explain the challenges I faced on each platform.

-- Julien

Wednesday, September 21, 2011

Fake software store imitate Groupon

Fake software stores often claim to offer huge discounts, not unlike the well-known site Groupon. So it should not be a surprise that some of these fake stores look exactly like Groupon in an effort to be more familiar to the users and increase the likelihood of being trusted. One of these fake stores is axisoftware.com.

Here are screenshots of Groupon and identical looking pages on axisoftware.com.

Groupon: select a city
axisoftware.com: home page (top)


Groupon: daily deal
axisoftware.com: home page (center)

The fake site does not work very well. Clicking on the Buy button on the home page didn't actually do anything. I had to first click on the "deal" and then the "buy" button before reaching the shopping cart.

axisoftware.com:checkout


After entering my e-mail address, I was redirected to a payment website at lpstore.ws. Payment by VISA card then redirects to feriensoft.com. Mastercard is handled by screensavera.com.

Fake payment site

Lately, there has been a lot more activity around fake stores than around Fake AV, which used to me the most dominant threat in the Blackhat SEO world. There are currently thousands of spam websites redirecting to this particular fake Groupon store appearing in search engine results.

-- Julien

Thursday, September 15, 2011

Thousands/Millions of .tk sites created for fake online stores

While I was monitoring hijacked sites leading to fake online stores, I noticed a significant increase in .tk sites redirecting to searchdiscovered.com via domain.dot.tk. There are a number of interesting things going on with these .tk sites. First, the spammers have decided to create their own sites rather than hijacking existing sites with good reputation rankings. Doing a Google search, I found thousands of these sites: fidymarch.tk, isaftaho.tk, isaftaho.tk, jedkyosculit.tk, flicreuci.tk, meicatec.tk, etc. There may be up to 6 million sites like this.  Most of the domains are registered by two entities: DOT TK and Malo Ni Advertising Limited (Isle of Man).

WHOIS information for isaftaho.tk

http://dot.tk/ offers free .tk domains and redirections, like co.cc, so it is is not surprising to see this service being abused.

Free .tk domain names

These .tk sites contain only spam, unlike hijacked sites, which contain both legitimate content and spam. They look all pretty much the same. The previous spam pages I saw were using only text, with no images. These sites look more like online stores, with images, and links to the actual fake stores

Spam page from cetescawin.tk

The fake online stores linked from these spam sites are the same as the fake stores that I saw earlier: same template, same translations into 5 languages, same discounts, etc: cheapoem.com.ua, discountsoftware.com.ua, etc.

Fake store discountsoftware.com.ua
Down .... but still there

About half of the .tk domains I've tried seem to be down. They redirect to domain.dot.tk, then to searchdiscovered.com which seems to be a parking domain.

Domain parked on searchdiscovered.com
It is very likely that the .tk domains were suspended by the registrar Dot.tk, and now redirect to to a parking domain where the registrar can make some money for it's free service with the advertising.

These domains are not harming users anymore, since they redirect to a harmless advertising page instead of a fake store. But it is disappointing that they are still in Google's index, and show up for queries related to buying software online. For example, Google displays more than 600 spam pages for the domain cetescawin.tk.

The second take away is that these dead domains illustrate why it is more effective for the spammers to hijack existing sites rather than create their own. With their own spam sites, it is very easy for both the registrar and Google to take down the entire domain, but is is not likely that Google, or any other search engine, or for example that the registrar Educause is going take down harvard.edu because some sub-domains of their sites contain spam.

Protect yourself

Users can be warned when they visit a fake online store by installing the free Zscaler Safe Shopping add-on for Firefox, Safari, Chrome, Opera and Firefox Mobile.

-- Julien

Tuesday, September 13, 2011

Facebook free t-shirt scams take advantage of email upload

Attackers on Facebook are continually taking advantage of new ways to get their content onto a user’s wallpost, in order to further propagate their scams. Recently, we came across yet another interesting scam, this one offering a free official t-shirt as a gift on the occasion of Facebook’s 7th birthday celebration. At first, this scam looked like any other, but after further analysis I realized that this scam takes advantage of mobile email uploads. Facebook provides user’s with a unique email address as a convenient means of uploading content from mobile devices. Here is what the scam message looks like:

If you click on the link, you will be taken to a page offering the fake free t-shirts, as can be seen in the following screenshot:

The page provides a button to click for redeeming the t-shirt and also displays a counter showing how many additional shirts remain in stock. If you navigate the ‘Click Here’ button, you will be taken to the following page, which can be seen below:

Take a look at the instructions mentioned on the page. They instruct the victim to copy an email address which can be found at “www.facebook.com/mobile” and paste it into a field on the scam page, in order to verify that the user belongs to Facebook.

Mobile Upload:

When logged into Facebook, the email address displayed at www.facebook.com/mobile is a unique email address that a user can leverage to post status updates or send photos and videos straight to their profile. If someone has access to this email address, they can directly upload content to a user’s profile, without their knowledge. The Facebook mobile page displaying directions for using the unique email address can be seen below:

This is yet another trick used by scammers to gain access to your profile. Once a victim copies/pastes that email address, they will be taken to the page where the scam site will then ask them to complete surveys such as the one shown below:

The surveys represent the monetary component of the scam as the attackers are rewarded with a few cents every time a survey is completed. This is a common technique used in Facebook scams. The interesting component of this attack remains the social engineering used to obtain a victim’s personal email address, for uploading content from a mobile device. Once an attacker has that address, they have full write access to a victim’s profile and can use it to further propagate scams for monetary gain.

The cat and mouse game between Facebook and scammers continues. This time around, cleanup isn’t as simple as deleting a post from the victim’s profile. In this case, Facebook will have to force victims to change or reset affected email addresses to prevent further posts from the scammers.

Never share your personalized unique email address with anyone.

Umesh

Friday, September 9, 2011

Firesheep and BlackSheep on Firefox 4.0+

Firesheep

You may have noticed that the downloadable binary of the Firesheep add-on works only with version 3.6 of Firefox. The main branch is still incompatible with Firefox 6, but the latest Firesheep branch, (firefox5) remains very active and contributors are working toward making Firesheep compatible with newer versions of Firefox. I was able to compile this branch on Linux, but not on on Windows 7. Unfortunately, there were actually several changes in Firefox 4 that are incompatible with the original architecture and implementation of Firesheep.

New Add-on Manager

Firesheep calls the executable component firesheep-backend.exe (or firesheep-backend depending on the platform) which is packed with the add-on. To find the path of the executable, Firesheep needs to get information about the add-on through the add-on manager.

Firefox 4 introduced a new way to interact with the add-on manager and deprecated the previous one. The change is deeper than just calling a different function. Getting the path of the add-on now requires an asynchronous call instead of a synchronous function call. This can be a big change for most plugin architectures. Fortunately, Firesheep is very well structured and uses an event-driven architecture. This means that it can easily deal with asynchronous calls.

The Firesheep branch firefox4 fixes this issue (mostly in modules/Firesheep.js) in a way that is backward compatible with Firefox 3.6.

C++ XPCOM

While running firesheep-backend.exe, Firesheep needs to capture the output of the program. Natively, Firefox allows add-ons to run executables, but not to capture the output. Firesheep worked around this limitation by creating a custom XPCOM element in C++ that allows it to run executables and capture their output. In brief, XPCOM elements are cross-platform components that can be written in C++ and other languages. These components can interact with the platform (Windows, Linux, Mac OS X) and can be called through JavaScript inside the add-on.

There are several radical changes in Firefox 4.0 regarding XPCOM. First of all, you can see in the Firesheep compilation instructions, that the add-on must be compiled against Gecko 1.9.2. But Firefox 4 uses Gecko 2. This is a major version change which is not compatible with Gecko 1.9.2.

Among the changes required with Gecko 2 regarding custom XPCOM elements, the following are a problem for Firesheep:
  • XPCOM elements must expose a new interface, so older XPCOM elements for Gecko 1.9.2 no longer work
  • XPCOM elements must be recompiled for every new major release of Firefox. This is a maintenance headache with the new Firefox release scheme, where major versions are released every few months
This led Firesheep to change its back-end considerably. You can see these changes in the firefox5 branch. Firesheep dropped the custom XPCOM. It now uses the native Firefox objects to run the executable. The back-end writes its output directly to a temporary file and Firesheep tails the output.

As a result, the implementation of Firesheep is a bit more complex, but getting it to run on different platforms is easier. The new version of Firefox is compatible with OS X 64bit, which was not previously the case. It should also make it easier for Firesheep to work with newer versions of Firefox, because there is no longer a dependency on a custom XPCOM.

No binary release yet

Unfortunately, there is no binary release (the final XPI add-on) of the firefox5 branch available for users to download and install on Firefox. While I was able to compile it on Linux (32bit and 64bit) easily, I could not compile it on Windows (missing pcap-config, could not find my BOOST libraries, etc.). I've spent several days trying to compile the different branches on Windows without any success.

BlackSheep

Because BlackSheep is largely based on the Firesheep source code, it suffers the exact same problem. I did not test BlackSheep thoroughly enough after Firefox 4 was released, so I did not realize BlackSheep no longer worked. I apologize to the users of BlackSheep.

I want to make BlackSheep available for Firefox 4 to 6. This should be possible by using the firefox5 branch of Firesheep, but I need to successfully compile this branch on Windows 7 first, which I have not been able to do despite my best efforts. I would be very grateful if a reader has a working Firesheep firefox5 version for Windows and could send it to me. I'll then be able to update BlackSheep and release it to the public.

-- Julien