Obscuring malicious Facebook links using the Open Graph Protocol

Most users click on links popping up in their Facebook News Feed without thinking twice about it, but it’s good to keep in mind that they can lead to malicious sites.

Here’s an example of one flagged by the SANS ISC (Internet Storm Center):

obscuring malicious Facebook links

Perhaps it doesn’t look very interesting, but it definitely does not look outright malicious. Nevertheless, some of the users who followed it landed on a Facebook phishing page – an unambiguous threat.

How did the phishers achieve the semblance of a harmless link?

They equipped the landing web page with “Open Graph” tags that would create the illusion of a link to a YouTube page:

obscuring malicious Facebook links

“The meta “og:” tags will tell Facebook to display a YouTube logo (“og:image”), and the text “355,857 View” (“og:description”), making this look like a legitimate link to YouTube,” researchers and ISC handler Johannes Ullrich explains.

In this particular example, users who click on the link are firstly redirected to a smartURL, which detects the user’s location and device type, and then on to the phishing page or a random Wikipedia page (as it happened to Ullrich).

My own tests seem to indicate that the phishers are targeting mobile users, as I got a Wikipedia page each time I visited the smartURL link with my computer browser, but got the phishing page when I used Safari on iOS (by the by, the phishing page is still active):

obscuring malicious Facebook links

Also, it’s good to add that major social platforms – such as LinkedIn, Twitter, and Google+ – recognize Open Graph tags, so this same trick can be pulled to phish users of those platforms, as well.

from Help Net Security – News http://bit.ly/2wm7nqR
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s