Fake Facebook Friend Requests with huge links lead to malware exploit kit
There is an ongoing spam campaign that I have been following since August 24 2011, pretending to be Facebook Friend Requests. However, all of the links contained in these scams lead to compromised websites, where your browser is attacked by criminal exploit kits, like the "Blackhole" or the "Nuclear" exploit kits.
If you are a member of Facebook and receive Friend Requests from senders with odd sounding names, you need to do something proactive before clicking on any links in those emails. You need to hover your mouse pointer over all buttons, images and text links, without pressing any mouse buttons (do not click!). Then, with your pointer over these links, look down at the "Status Bar" on the browser, or message window, or preview pane in the email client you are using, and look carefully at the URL being displayed.
The links and buttons in the Facebook Friend Request scams look like any other Facebook request, with a few exceptions. The photo of the alleged requester is missing, showing an outline of a shadowy head. When you hover over the picture, or name, or the Confirm Request buttons, or the Unsubscribe link, all of the links will be obviously fake, leading to anything other than facebook.com. Furthermore, for the last couple of months, the links are unbelievably huge, occupying multiple lines of codes. Herein lies the weakness in the scam.
Furthermore, Most of the scams spoofing facebook Friend Requests lack the line under their name, showing the person's statistics. E.g. 37 friends · 29 photos · 13 Wall posts. A real Friend Request contains these stats.
Making sense of what appears senseless
I am going to impart some WIZdom to you to bring you up to speed on the nature of the hostile links in the current (April 2012) fake email Facebook Friend Requests.
A real Facebook Friend Request always shows facebook.com in the first portion of the URL, just before the first single forward slash. Here is an altered example of an authentic "See All Requests" button link:
http://www.facebook.com/n/?reqs.php&mid=5c61e5akjdfhg7G5af367fd4722Gca22faG2&bcode=7p7rlcv0318MU&n_m=email-prefix%40email-suffix.com&type=1
Below, is an actual hostile link, extracted from a fake friend request, with the primary link codes replaced with asterisks (h**p) for your safety (this domain is still infected as of this posting):
h**p://torontoweddingphotographers.net/blog/index-include.htm?NA7=67W5O91L6NRW9KNO406DBNEB&G7F=98X0O929MQE303XCB8ETVA71&6F6=BXQ58NDOHTAAIMT&43O95=2VA7V50NDLL1UT0K&3547=JX6J2JL4EQ&
Compare just the URL sections which I have made bold:
Real: http://www.facebook.com/n/?reqs.php&
Fake: h**p://torontoweddingphotographers.net/blog/index-include.htm?
It is obvious when you read the actual URL to which the links and buttons lead which one goes to Facebook.com and which one goes to somewhere completely different. The second giveaway is the file type used before any of the long character strings. The authentic Facebook link uses a file named reqs.php, which is a .php file type; an active server content file. The faked URL uses a .htm file type, which is a flat html file.
Next, compare the items that follow those two different files. In the actual Facebook link, the first character following the file extension (.php) is the & symbol. In the faked URL, it is a ? symbol. In URLspeak, the question mark signifies a "query string." I have traced a lot of these URLs in scam emails and can tell you for a certainty that all of the ones spoofing Facebook requests, using a .htm file, followed by a question mark (...htm?...), are totally fake query strings. They do nothing on the destination server, because the .htm files on the compromised sites are just flat files, containing only html code and JavaScript exploit attacks. These flat .htm files, simply put, cannot parse a query string. The strings are octopus ink, meant to fool the unwary.
So, if you hover over a link in a Facebook Friend Request and see a huge readout that first of all does not have facebook.com/ and which has a file with a .htm extension, followed by a ? and a long string of characters, it is a hostile link. Do not click on these links!
In the case of the message I analyzed tonight, at the destination domain, there were a series of 5 different JavaScript exploit scripts, each targeting different commonly installed and equally commonly out-dated browser plug-ins, beginning with Java. Chances are fairly high that if the washin' don't get ya, the rinsin' will! Java is the number one exploited browser plug-in, for several years running. Try to make sure that if you have Java installed on your computer, that you have set it up for automatically checking for and downloading updates.
If you don't even know you have Java installed, find out by going to http://www.java.com and use the link labeled: "Do I have Java?" It will scan your PC and tell you if Java is installed and if so, which version is currently active on your computer. If Java is installed and it is not the latest version, it is definitely vulnerable to exploitation by these scripted attack kits. Either download the current patched version, or uninstall any versions of Java you find on your computer.
If you have clicked on such a link, you probably saw a line of text in your browser's title bar stating words like: "Please wait till page loads" - which masks the attacks being carried out against your browser and its plug-ins. You need to update your anti-malware protection and scan for threats you may have acquired. That may not be enough though, as some of the bad guys install a bootkit or rootkit that is insidious to remove. You might need professional help to remove some of these infections. Many install the Zeus, or SpyEye banking Trojans, along with Botnet executables that use your computer as a spam and attack zombie.
Trend Micro, Kaspersky, Symantec and other security websites provide free online malware scanners. If a Trojan has disabled your anti-virus program, those scans may be all you have before you need to reinstall the operating system, or restore it to a previous state (system restore, or a saved backup image). It's better to have excellent, commercial security installed, up-to-date and protecting you in real time, than to risk getting infected due to free security software not being updated as often as the malware is updated and repacked.
I use and recommend Trend Micro Internet security, along with Malwarebytes Anti-Malware.
Stay safe online. Avoid clicking on links before you hover and read the URL in a Status bar. Spoofed URLs are everywhere and most lead to malware exploit kits. If you have unpatched software installed that can be accessed through your browser, your computer will almost certainly become infected. Your only hope is to operate with limited user privileges, rather than as a Power, or Standard user or administrator.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.