Use of the Open Graph Protocol to Disguise Malicious Facebook Links

Published: 2017-08-04
Last Updated: 2017-08-04 21:16:20 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Whenever a link is posted to Facebook or other social media sites, the site will likely scan the destination page for "Open Graph" tags [1]. These tags may provide a link to an image to be displayed, or alternate URLs to be displayed and other meta tags.

(URLs obfuscated to protect the click-happy)

For example, the following short link hxxps://goo. gl/ 8k64yS posted to Facebook recently links to hxxp: //storage. googleapis. com/1501853956/1501853956.html, which in turn returns the following content:

<meta name="viewport" content="width=device-width, initial-scale=1">
<meta property="og:url" content="http://YOUTU.BE/" />
<meta property="og:type" content="article" />
<meta property="og:title" content="Video" />
<meta property="og:description" content="355,857 View" />
<meta property="og:image" content="https://www.youtube.com/yts/img/yt_1200-vfl4C3T0K.png" />
<style> body { margin: 0 !important; }</style>

<iframe src="hxxp:// smarturl. it/uvita" onload="this.width=screen.width;this.height=screen.height;">

the meta "og:" tags will tell Facebook to display a YouTube logo  ("og:image"), and the text "355,857 View" ("og:description"), making this look like a legitimate link to YouTube. Instead, the user is redirected to a second URL shortener in this case. "smarturl.it" looks like a very interesting URL shortener. It allows the attacker to effortlessly redirect users to different sites based on country of origin and browser used. Sadly, all I got in the iframe was what appeared to be random Wikipedia pages, nothing that I could identify as malicious. One Facebook friend was directed to a Facebook phishing page after clicking on the link.

Here is what it looked like when I posted it to a Facebook test account:

[1] http://ogp.me

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
1 comment(s)

Comments

Very interesting thing. I'm curious to know if DCI products like Checkpoint fall on this trick or detect it.
Between, i think its a new way to trick users in the trap.

Thanks !

SwitHak

Diary Archives