Monday, December 08, 2008

Anatomy of a phishing attack: The Secret Video attack

A few days ago, my brother calls my cell phone. He got a strange message from a Facebook friend. He wasn't near a computer, and was curious if I could check it out. He forwarded me on the message, which is mostly below:

From: Facebook 
Date: Fri, Dec 5, 2008 at 10:07 AM
Subject: Ben's Brother's Friend sent you a message on Facebook...
To: Ben's Brother

Zvi sent you a message.

Subject: I was surprised to see you on this video.

"W O W
http://www.facebook.com/l.php?u=http://geocities.com%2Fynufgzhmf%2Findex.htm%3F5cch5f%3D9d980760651eb5176d1117c8b4885b63"

Uh, oh - this doesn't sound good. Who's nightmares don't include some video clip of you being shown on the web that you'd rather didn't exist? I clicked on the URL, expecting the worst, and was created with the following page:

OK, I thought - my Flash Player is out of date. No biggie, I'll just update it and then I'll get to see this incrementing video.

I click on the link and flash_update.exe is downloaded to my system.

As I'm about to double click on the executable, my brain finally catches up to my fingers and I realize maybe this isn't such a great idea. This page looks a little sketchy. It then occurs to me, if my Flash Player is really out of date, the safe way to upgrade it is to visit Adobe.

And so that's what I did. I headed over to the Flash Player download area. Sure enough, my Flash Player was out of date. Perhaps I was being a little too paranoid.

I then visited the site again, and as you might imagine, it said I was still out of date. At this point, I realized that this is definitely not a video site, and is a sort of virus or phishing attack. A well executed one at that. Here are some signs that confirmed it:

  • The URL was: http://122.55.185.237:7777/dt/?. The fact that there wasn't a recognizable domain name was a sure clue something was up
  • I inspected the HTML, and the fact that it was personalized with a name, is actually done on the fly. The URL query string argument ch=F0F2EFE6E9ECE5AEE1EBAE... contains, among other things, the name of the person to show as their page. This is cleverly done, as the page has the look of one that's specific to the person who sent out the Facebook e-mail.
  • The page was trying to look like YouTube, but of course, it wasn't YouTube. In fact, there was a typo in the title, which said YuoTube. Why can't spammers spell?

In the end, no harm was done because I never ran the flash_update.exe file they had me download. But, if I had run this, I'd be in a bad way.

The moral of the story is simple: don't run a .exe from any website you don't trust.

The way this attack integrates Facebook, Flash and the general fear that we'll show up on the internet in a compromising position, is nothing short of genius. Evil genius.

It's a dangerous world out there, so be careful.

By at
Labels: ,

1 comment:

  1. Anonymous7:28 PM

    Phew! Thank you so much - I got this message and was really suspicious of it. I'm guessing no harm can come if I clicked the link and loaded the page but didn't download the file?

    ReplyDelete

Subscribe to: Post Comments (Atom)