Facebook "Like Pages"

Published: 2010-09-16
Last Updated: 2010-09-16 16:55:24 UTC
by Johannes Ullrich (Version: 2)
10 comment(s)

I am seeing a trend on Facebook recently, and I am not sure what to make of it. As we all know just too well, Facebook has a "Like" feature. This feature, a little button associated with a post, allows you to show agreement with a post. Lately however, I am seeing more and more posts like the following:

I covered up the parts identifying the friend of mine who posted this. A few things make these posts look "suspect": The post itself links to a domain "x.co". This is not the only domain used for these posts and it isn't obvious if they are all related (but many are). Another domain associated with x.co is for example thelikepage.com.

Once you click on it, you are offered a large number of other "provocative quotes" and offered to "like" them. At this point, I am mostly asking "what is the point"? Is it just an attempt to direct Facebook users to ad-covered pages? Or is there something more sinister at play? I don't see any exploits like click-jacking or cross-site-request-forging used. These pages also do not phish your credentials like some other similar pages.If you got an opinion or any further inside, please let us know.

Update: Just a quick summary of some of the feedback we got so far. Too much to mention every single one (Thanks BTW!)

Nobody has seen anything malicious from these URLs yet, so it appears to be just "Spam", maybe search engine optimization techniques to get these pages linked and ranked higher. A couple readers noted that unlike a regular "like", it is not so easy to remove these notes from your profile. You need to go to your "wall" page and remove them. You can not remove them like normal "Likes" from your "Newsfeed".

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Facebook Social Networking
10 comment(s)

A Packet a Day

Published: 2010-09-16
Last Updated: 2010-09-16 16:51:30 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Not traveling this week, I got a bit extra time and decided to put up a couple "packet challenges". If you are following me on twitter, you may have already seen them. If not... here they are:

First one (with solution): http://johannes.homepc.org/packet1.txt

The second one (posted yesterday): http://johannes.homepc.org/packet.txt (I think I only got one decent answer for it so far, so I will keep it up a bit longer...)

A third one will be posted later today. And BTW... got packets? We always like good and interesting packets.

update: just made the new challenge live. again at http://johannes.homepc.org/packet.txt

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: packets
2 comment(s)

OpenX Ad-Server Vulnerability

Published: 2010-09-16
Last Updated: 2010-09-16 16:50:46 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

A vulnerability in some "random ad server" software wouldn't be terrible big news, but in this case I decided to spent a couple minutes on it. OpenX is somewhat popular, and used by various sites to server ads. Not only that... the vulnerability is actively being exploited. And to make things worse: The OpenX.com site is down, so you can't download a patch or any details "direct from the source".

We have seen compromised ad servers being used in the past to inject malicious content into various "trusted" pages and I am a bit afraid that we will see some of this with these OpenX vulnerabilities.

For more details: http://blog.sucuri.net/2010/09/openx-users-time-to-upgrade.html

(thanks to David of Sucuri for the heads up)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ad server OpenX
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
4 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
4 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
4 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
4 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
3 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
3 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
3 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
3 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
2 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
2 months ago

Login here to join the discussion.


Diary Archives