Two distinct attacks using Facebook applications

Aug 17, 2009 12:48 GMT  ·  By

Facebook was the target of two independent and non-related phishing attacks through its applications service. Two security experts discovered, investigated and reported these attacks to the social network's admins, who took all the protection measures.

The first one was reported by Christopher Boyd and was an application called Customer Dispute. The application link did not open an actual app page, but managed to clone a Facebook URL (apps.facebook.com/customer_dispute/ ). Instead of the standard application install screen, it printed a “404 – Page not found” error. The detail that triggered Mr. Boyd's interest was the fact that the error was NOT FROM FACEBOOK, but from a hosting company called Ripway.

Mr. Boyd had this to say about Ripway: “The entire content is taken up by a 'Page not found' message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).”

Further inspecting this issue, on a simple Google search for the application's name, results redirected to a hacking forum, where a member noticed this even before Mr. Boyd, and posted a thread. Surprisingly, the first one to answer was the owner of the phishing page, who admitted by saying that, “That's my page. I've taken it down.”

After notifying Facebook, at a later investigation, the Ripway account was terminated, the forum thread disappeared, while the Facebook application page redirected to an actual Facebook “Page not Found” screen.

More details can be found on Christoper Boyd's blog, here.

The second attack was reported by Rik Ferguson on his blog, and was about another Facebook application. The app sent out countless notifications informing users of a comment on one of their posts that they needed to check out.

The first thing that alerted Mr. Ferguson was the name of the application, adult-themed, very uncommon for a Facebook app. The link (when hovering the mouse over it) redirected to a page from the fucabook.com domain name that contained some info-stealing content.

According to Mr. Ferguson, “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.” He also added, “The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.”

This attack did not attempt to steal any financial data, but it tried to acquire account credentials that could have been used to send out spam or other phishing attacks afterwards.