by David Michmerhuizen – Security Researcher
If you're a regular Facebook user, you're used to questionable links in your friend feed. Links to apps you don't want to run. Links to quizzes you don't want to take. Links to cause pages you don't care about. Links to videos you probably shouldn't look at. They spread by tricking you to press ‘like' or ‘add' before they show you what they offer.
All typical stuff, except that Barracuda Labs has seen something unusual in the first week of March – a huge “likejacking” campaign that has fooled many otherwise careful Facebook users and illustrated just how a truly serious malware attack could leverage the Open Graph API to spread virally through Facebook.
While likejacking is not new, this campaign is particularly well done. It succeeds because clicking on video links on your friend feed is a very natural thing to do. More than a few of our otherwise tech-savvy friends (who should know better) were taken in by this scam. It starts with a link in your friend feed from someone you trust…
The post appears to be a link to a video, nothing unusual. Clicking on it takes you off from Facebook onto a domain that presents a page very similar to a YouTube video, except with a logo that reads “FouTube”…
It bears repeating – a ‘like' button is implemented in code. The only thing that makes one look like the usual Facebook ‘like' button is Facebook's Terms of Service, which state that a ‘like' button must use an approved style.
The code you see here has two functions.
First, as shown below, is to ‘like' the page so that a link to it appears on your wall and in the friend feed of all of your friends. This spreads the campaign virally and with if the subject videos are appealing enough the links to the scam page can spread to many thousands of users in a very short time.
Indeed, clicking on the video posts a link to the scam page on Renee's wall
The second function of the code is the true aim of the campaign, which is to direct visitors to a series of ‘surveys' which indiscriminately pitch products, harvest personal information and attempt to subscribe the unwary to premium-rate SMS services. This is where the scammers make their money.
If you wait for 60 seconds the underlying page continues on to display a relevant YouTube video.
A partial list of domains involved (careful, some may still be active) shows the effort that went into the social engineering aspects of the campaign.
This sort of likejacking has been going on for quite a while, and the campaigns are almost always used to deliver users to ‘survey' sites. In the case of the fake video page described above the survey poses as a hurdle to pass to be allowed to see the video. The survey itself is generally harmless provided that you don't answer it, and the Facebook ‘like' is embarrassing but easy enough to fix. Facebook removes these posts after the fact, usually within hours.
The example above shows that Open Graph gives survey distributors easy access to Facebook, turning a low-level scam spread via email and forum spam into a huge viral success for the scammers.
What is especially troubling about this is what could have happened. Rather than deliver a scammy survey, malware distributors could easily attempt a series of silent exploits against the browser and its plug-ins, followed by a quick redirect to a real video. That sort of attack could spread real malware such as the Zeus or SpyEye password-stealing trojans to thousands of Facebook users in a very short period of time compared to other methods. Even worse, many of those backdoors and password stealers would be installed inside of business networks who allow their employees to use Facebook in their ‘free time'.
Barracuda Networks recommends you take particular care when using facebook. If friends post links, make sure you trust the destination domain before following the link. Barracuda Web Filters also allow the selective blocking of Facebook within the organization.