|
Whenever a link is posted to Facebook or other social media sites, the site will likely scan the destination page for "Open Graph" tags [1]. These tags may provide a link to an image to be displayed, or alternate URLs to be displayed and other meta tags. (URLs obfuscated to protect the click-happy) For example, the following short link hxxps://goo. gl/ 8k64yS posted to Facebook recently links to hxxp: //storage. googleapis. com/1501853956/1501853956.html, which in turn returns the following content:
the meta "og:" tags will tell Facebook to display a YouTube logo ("og:image"), and the text "355,857 View" ("og:description"), making this look like a legitimate link to YouTube. Instead, the user is redirected to a second URL shortener in this case. "smarturl.it" looks like a very interesting URL shortener. It allows the attacker to effortlessly redirect users to different sites based on country of origin and browser used. Sadly, all I got in the iframe was what appeared to be random Wikipedia pages, nothing that I could identify as malicious. One Facebook friend was directed to a Facebook phishing page after clicking on the link. Here is what it looked like when I posted it to a Facebook test account:
[1] http://ogp.me --- |
Johannes 4504 Posts ISC Handler Aug 4th 2017 |
| Thread locked Subscribe |
Aug 4th 2017 4 years ago |
|
Very interesting thing. I'm curious to know if DCI products like Checkpoint fall on this trick or detect it.
Between, i think its a new way to trick users in the trap. Thanks ! SwitHak |
Anonymous |
| Quote |
Aug 4th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
