Mohammad's weblog

Online Social Network Security

I use this weblog to share my thoughts about my research in progress in Online Social Network (OSN) malware. I try to model the behaviour of OSN malware to design a better countermeasure scheme. I published two book chapters on malware propagation in OSNs.

Flower

Get a free pair of uggs boot today!

Posted on by Mohammad

A new variant of Facebook Token Hijacker malware is now in wild with some new functionalities. The recent variant benefits from obfuscation techniques to hide its code from Anti-Malware software.

In this attack, the user receives a Facebook post to claim an special offer of free UGGs boots; the user is asked to post her access token after logging into an application (ID: 350685531728) using Facebooks' oAuth.

After successful login, the malware hijacks the user token and posts on her behalf on her wall. There is a difference between a phishing attack and this new type of attack. In the latter the automatic exploitation takes place right at the moment that the user share her access token. Thus, the infection procedure will start on the actual victim side. However in the former, the attacker harvest information for future access where most of the time is challenged by Facebook's Identity and Access Management Controls (IAMC). The malware also tries to create an event and invites all of the victim's friends to the event. This malware is totally capable of hijacking the victim's credentials. The malware currently resides on the following host: http://fbunlimited.info/instagram/ In contrast to the previous variant, this time the domain is not signed for secure http connection (https).

The malware posts some information to the following link:
http://hub.zabavno.co/?h=108883048315&o=10679714&t=1359836734&tkn=
http://fbunlimited.info/instagram/save.php?postback=y&country=
http://23.23.248.101/u/141689081/e357DuaM6d/chwm5rIocK9M/homepage.html?z=13598367341144'

A semi-deobfuscated version of the javascript is available here. I am still working on this malware but feel free to contact me if you need further information.

FREE $500 Victoria's Secret Gift Card Scam

Posted on by Mohammad

A new self propagating malware is actively harvesting Facebook's Oauth user access tokens to hijack their credentials and post on their behalf.
Users are then redirected to the following webpage:
https://marketsee.info/victoriasecret/

This malware deludes the victim by providing the legitimate Pinterest oAuth client ID (274266067164) to fake the sponsorship from Pinterest. Two javascripts are loaded which prepares the infection mechanism. Upon successful validation using a php file on the same host (checktoken.php) the malware can login and post on behalf of the victim user.

Moreover, blocking the following address are recommended to prevent unsolicited accesses to the malicious websites:

https://marketsee.info/
https://marketsee.info/victoriasecret/
http://yourgrantchance.net/
http://sensurvey.net/d/p/y4o6u26001?r=

The certificate is signed for whos.amung.us website that provides widgets to track online users on a website. Actually the phishing page uses this widget to track down the online users, click on the following link to see how many other people are visiting this page at the that time:
http://whos.amung.us/widget/d9c23nf876sp

Feel free to contact us if you need further information. Best,