Archive

Author Archive

Facebook Phishing site: fbstarter.com

April 30th, 2009


I got a Facebook mail from a friend today titled “Look at this!” with a link to fbstarter.com.

The site itself, looks just like FaceBook (even the code view and CSS – screenshot here) – but the site itself didn’t seem to offer much except for a login. I put in dummy information and was redirected to the real Facebook site with this message:

screenshot here.

It’s good to know that Facebook is already on top of it.

When I asked my friend how he came to find / be infected with the exploit (my initial that was a rogue app) he replied: “Link from a friend on Facebook.” My guess is that the site logs in as you and send a message to all your friends to infect more people (he told me he looked through his sent mail and apparently it’s been sending emails out 15-16 at a time).

What’s interesting about this exploit is that there really isn’t any XSS or CSRF involved – Facebook didn’t do anything wrong – it’s just plain social engineering, a site dresses itself up to look like Facebook and asks you to log-in.

I went ahead and archived the fbstarter.com site as I’m sure it’ll be taken down soon:
http://insecureweb.com/files/fbstarter/ (doesn’t include images)

If you are infected – change all your passwords immediately. Although it’s unlikely the perpetrators can access your other sites many people use the same passwords or deviations of the same password for many sites. It would be in your best interest to change all your passwords regardless whether they’re the same or not (at the very least a clear conscious).

In addition, consider upgrading to Firefox 3 if you haven’t, which attempts to block web forgery attempts (after they are reported – see what happens when I try to visit fbaction.net a similar forgery site).

A whois on the owner of the domain shows our friends in Russia as usual:

Ad / Name	  Boris Soroka
	Adres	Stavropolskaya str. d.18 kv.164 Moscow Moscow 109386
	Tel	+7.4957851102
	Faks
	E-posta   vy@seostudio.at
	Guncelleme / Updated

Mauvis Ledford Social Engineering , ,

XSS exploits in 8 of AOL’s properties including Engadget, TUAW, and Social Thing enabled sites

April 30th, 2009

Update 05-27-2009: A web developer at AOL is investigating these issues and in the meantime this post has been temporary disabled. It’ll return for educational purposes when the issues are resolved.

Mauvis Ledford JavaScript, Web Security

Newish web-based PDF attack in the wild (with real exploit code)

February 19th, 2009

At work, a client recently contacted us about some random ads that were popping up on their site -  interestingly enough through Adobe Acrobat. While I’m on a mac and didn’t experience the popups firsthand, I did pinpoint the problem to come from a hidden iframe located on the page (The client is a news organization and the iframes were being added to the bottom of each news article – so either they suffered an SQL injection or the attacker got into their platform somehow.) It turns out the code was doing something more malicious then just displaying ads. Read more…

Mauvis Ledford JavaScript, Web Security ,