Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Use of the Open Graph Protocol to Disguise Malicious Facebook Links - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Use of the Open Graph Protocol to Disguise Malicious Facebook Links

Whenever a link is posted to Facebook or other social media sites, the site will likely scan the destination page for "Open Graph" tags [1]. These tags may provide a link to an image to be displayed, or alternate URLs to be displayed and other meta tags.

(URLs obfuscated to protect the click-happy)

For example, the following short link hxxps://goo. gl/ 8k64yS posted to Facebook recently links to hxxp: //storage. googleapis. com/1501853956/1501853956.html, which in turn returns the following content:

<meta name="viewport" content="width=device-width, initial-scale=1">
<meta property="og:url" content="http://YOUTU.BE/" />
<meta property="og:type" content="article" />
<meta property="og:title" content="Video" />
<meta property="og:description" content="355,857 View" />
<meta property="og:image" content="https://www.youtube.com/yts/img/yt_1200-vfl4C3T0K.png" />
<style> body { margin: 0 !important; }</style>

<iframe src="hxxp:// smarturl. it/uvita" onload="this.width=screen.width;this.height=screen.height;">

the meta "og:" tags will tell Facebook to display a YouTube logo  ("og:image"), and the text "355,857 View" ("og:description"), making this look like a legitimate link to YouTube. Instead, the user is redirected to a second URL shortener in this case. "smarturl.it" looks like a very interesting URL shortener. It allows the attacker to effortlessly redirect users to different sites based on country of origin and browser used. Sadly, all I got in the iframe was what appeared to be random Wikipedia pages, nothing that I could identify as malicious. One Facebook friend was directed to a Facebook phishing page after clicking on the link.

Here is what it looked like when I posted it to a Facebook test account:

[1] http://ogp.me

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Johannes

3004 Posts
ISC Handler
Very interesting thing. I'm curious to know if DCI products like Checkpoint fall on this trick or detect it.
Between, i think its a new way to trick users in the trap.

Thanks !

SwitHak
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!