Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's not to Like about "Like?"

Published: 2010-09-04
Last Updated: 2010-09-04 18:46:39 UTC
by Kevin Liston (Version: 1)
6 comment(s)

"Get off of my lawn!"

I admidt that I have a suspicous, curmedgeonly streak. I view every new feature-update from Facebook like like it's a vulnerability announcement from Microsoft. I'm concerned not only with what the people behind Facebook may be planning with a feature, but moreso with how other groups might repurpose that feature. The recent expansion of the facebook API is one of those things that gives me concern.

 

What happens when you click "Like?"

When you click the "Like" there's an announcement of this activity on your wall, and it's added to your "Likes" section. People who have common likes can see each other, but only as much as they would share with anyone else who had their Facebook username. That doesn't sound so bad.

 

What are people "Like"ing?

Normally, a Facebook user could create a group or page to support a product, business or idea such as: Rock Music, Gibson Guitars, or Billy-Bear's Bean Shop. With the update of the Facebook Platform (http://blog.facebook.com/blog.php?post=383404517130) now third party websites can place a "Like" button on their website. Is this a problem? If I like Nike shoes, why not like nike.com itself?

What has been triggering my spiedy sense is over the past couple of weeks, my facebook event log has been filling up with people "like"ing third party pages that are simple messages like: "like if you want a long lasting relationship:)!" or other simple plattitudes. The first thing that attracted my notice was that they were often mean-spirited, hateful, or had some sort of -ism in it. These were surprising messages to read on a friend or family member's page, so I suspected some sort of hijack or other foul play. Unfortunately I haven't turned up anything to support that theory, my frienda and family, are just mean people I guess.

There are a handfull of sites that have been recently set up to take advantage of this new feature in the Facebook Platform. Some that I have seen used recently are:

  • golikeus.org, 19-JUN-2010, privately registered
  • likealike.co.uk, registered 23-AUG-2010, privately registered
  • phrasely.net, registered 26-AUG-2010, privately registered

Each supports a user-created message feature where Facbook users can set up their own message and try to get as many folks to join as possible.

Recently they've updated their posts so that when the "Like" message appears on the users' wall the source is obfuscated behind a heart or musical symbol. I saw one that was even hiding behind a bit.ly link.

So other than the domains being recently registered with no contact information and the simple obfuscation, what evidence do I have that there's evil afoot? None, other than it fires a lot of my rules of thumb I've acquired over the years.

 

One last example.

This week, one of my family member's had this message pop up on my wall:

"WOW, This GUY Went A Little To FarWITH His REVENGE On His EX GIRLFRIEND! (shocking)"

I was certain that they'd be compromised this time. I set up a system and followed the links, capturing pcaps, just waiting for the prompt to download the fake video codec or whatever boobytrap they had waiting for me. The domain, shocking-revenge.info, was barely a day old, and the links went off to pull down content from other free-hosting providers. It had all the hallmarks of a psychological exploit. So I kept clicking like a sucker waiting for the big reward.

It never came.

Just more advertisements, and whoever's behind it has a nice bit of demographics for marketing purposes and a channel to distribute more lures and ads.

 

The Impact

So the short story is that there's nothing overtly evil about "like" links. I also don't see shadows of some large privacy violation or exposure when you click the "like" button on Facebook-hosted pages or sites that you trust.

However I do see some risk to clicking on un-trusted third-party "likes"; not because I have any hard data from any cases, but because I've seen this movie before, and I will see it again.

I'm just disappointed that I have friends/family with *isms. I was really hoping it was malware.

Keywords: Facebook
6 comment(s)
Diary Archives