Facebook Phishing Via Tumblr

February 12, 2014 - By Chris Larsen, Jeff Doty

This one took a while to unravel, and we're  missing a piece or two, but it's still worth writing about.

We noticed some odd traffic going to a brand new domain yesterday: maal1.pw

Interestingly, the traffic was coming from a bunch of random/junk Tumblr "sites":

  • rkektonyodhcw.tumblr.com
  • avfyyfeamigey.tumblr.com
  • rffebcgt.tumblr.com
  • jdklyvers.tumblr.com
  • lsleqhadcecyz.tumblr.com
  • mjdyjlic.tumblr.com
  • etc.

Here's an example of what the pages looked like:

screenshot of fake account on tumblr

That little red oval is  marking a 1x1 pixel iFrame, that's being created by some Javascript being pulled from a site named to look like it's part of Tumblr's empire, but isn't: tumposthostingxqo.com

That section of the Tumblr page HTML looks like this:

section of html code from the tumblr site, showing the javascript link

The Javascript from tumposthostingxqo.com looks like this (after a bit of clean-up):

the javascript that produces the iframe

(Yikes -- I was under the impression that Tumblr had protections in place to prevent people from inserting random external Javascript links into their sites. Apparently not...)

 

That's where the trail went cold for me -- I couldn't get maal1.pw to do anything interesting when I visited. So I handed it over to Jeff, who has ways to make sites talk...

And here's what he found:

screenshot of phishing page

So it's a phishing attack, trying to get you to log in to Facebook...

screenshot of facebook login

But why would someone be doing this? What's the bait?

Unfortunately, that's one of the still-missing pieces, but we can make an educated guess if we switch ends and jump to the beginning of the chain: those Tumblr sites with the suspicious names.

Traffic to those sites, it turns out, is coming from facebook.com (or the mobile version, m.facebook.com).

It gets even more interesting if you see one of the specific pages, showing what the Facebook users saw as they were leaving to chase the bait:

screenshot of facebook warning page

The warning is worth a close-up:

close-up of the warning from facebook

I don't know how they could make it any more clear -- kudos to Facebook for doing their part.

But plenty of people clicked the "Ignore Warning" button anyway. Whatever they'd been convinced they needed to see by a Facebook "friend" (probably some kind of salacious video link) overrode their common sense, even in the face of an explicit security warning. (Which is why the "Foolish Zebra" principle works so well!)

And then their own Facebook account would likely end up being used to send the spam on to their own friends...

 

--C.L.

@bc_malware_guy