Posts Tagged ‘facebook’

Friends‐to‐Friends‐Only is Not a Phish

Tuesday, December 2nd, 2008

Several people I know received Wall posts on their Facebook profiles recently with text akin to “your profile picture is all over mdannic.com”. So I did what any normal user would do: I visited the site and tried to determine whether it was a phish. It’s certainly not legitimate, but I doubt it’s a phish—it looks more like a prank. Here is a transcription of its interactions with my client (Fedora 10; i686; en-US; Firefox 3.0.2):

  1. The Javascript requests a file; the server returns a 404. This happens four times for http://rotating-destination.com/newpoproutine/*: dhtmlwindow.css, dhtmlwindow.js, modal.css, modal.js.
    http://rotating-destination.com/newpoproutine/dhtmlwindow.js

    GET /newpoproutine/dhtmlwindow.css HTTP/1.1
    HTTP/1.x 404 Not Found

  2. My client GETs data from http://friends-to-friends-only.com/.

    GET / HTTP/1.1
    Host: friends-to-friends-only.com
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008102718 Fedora/3.0.2-1.fc10 Firefox/3.0.2
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 19:06:17 GMT
    Server: Apache/2.2.3 (CentOS)
    Cneonction: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=ISO-8859-1

    I will omit my client’s request (excepting the first line) after this—just know that it’s the same.

  3. Step one’s Javascript–404 interactions repeat.

  4. thawte.com supplies an OCSP request after POSTing the data I submitted in the HTML form.

    Content-Length: 115
    Content-Type: application/ocsp-request

    In the following line, control characters are replaced by parenthesized Unicode identifiers to ensure proper rendering.

    0q0o0M0K0I0 (U+6)(U+5)+(U+E)(U+3)(U+2)(U+1A)(U+5)
    HTTP/1.x 200 Ok
    Last-Modified: Tue, 11 Nov 2008 08:11:51 GMT
    Expires: Tue, 18 Nov 2008 08:11:51 GMT
    Content-Type: application/ocsp-response
    Content-Transfer-Encoding: binary
    Content-Length: 1480
    Cache-Control: max-age=604800, public, no-transform, must-revalidate
    Date: Thu, 13 Nov 2008 19:09:02 GMT
    Connection: close

  5. My client interacts with Google Safebrowsing. I will omit those interactions for brevity and anti-clutter purposes. (My headers contain them.)

  6. My client GETs 4549 bytes of HTML. If I remember correctly, this included a Javascript popup warning box.

    GET /taf/page2.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans&email=none&category1=lauras&confirmation=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&error_page=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&ref=000&getpostdata=get HTTP/1.1
    Host: www.this-isnt-personal.com
    Referer: http://rotating-destination.com/taf/taf.html

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 18:54:37 GMT
    Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.7a FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.4
    Last-Modified: Fri, 07 Nov 2008 03:27:52 GMT
    Etag: “10cc017-11c5-ff8ede00″
    Accept-Ranges: bytes
    Content-Length: 4549
    Connection: close
    Content-Type: text/html

  7. My name, my referring friend’s name, my email address, and my password are sent to /taf/register.cgi; it sends me 4882 bytes of HTML.

    POST /taf/register.cgi HTTP/1.1
    Host: www.this-isnt-personal.com
    Referer: http://www.this-isnt-personal.com/taf/page2.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans&email=none&category1=lauras&confirmation=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&error_page=http%3A%2F%2Ftellafriendrewards.com%2Ftaf%2Fpage2.html&ref=000&getpostdata=get
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 87
    email=none&referring_friend=Henry%2BJoseph&name=Carrie%2BNewjeans&passwd=neatpeoplerock

    HTTP/1.x 302 Found
    Date: Thu, 13 Nov 2008 18:55:40 GMT
    Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.7a FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 mod_bwlimited/1.4 PHP/5.2.4
    Location: taf3.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Content-Length: 442
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    And no, that is not my real password.

  8. I GET 445 and 5199 bytes of HTML in separate requests.

  9. It interacts with a new server at http://tracking.profitsource.net. Notice the session cookie.

    GET /redir.aspx?CID=13449&AFID=27721&DID=59269&SID= HTTP/1.1
    Host: tracking.profitsource.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: Redir_Consume-13449=AFID=27721&SID=&MARSID=&DID=59269&AD=CID%3d13449%26AFID%3d27721%26DID%3d59269%26SID%3d&RR=http://www.this-isnt-personal.com/taf/tafnext.html&IDATE=11/13/2008

    HTTP/1.x 302 Found
    Connection: close
    Date: Thu, 13 Nov 2008 19:17:01 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Pragma: no-cache, no-cache
    P3P: policyref=”/w3c/P3P.tracking.profitsource.net.xml”, CP=”NOI DSP COR NID ADM DEV OUR STP OTC”
    Location: http://www.geniusinspiration.net/go/sh_us_gs_txt
    Set-Cookie: Redir_Consume-13449=AFID=27721&SID=&MARSID=&DID=59269&AD=CID%3d13449%26AFID%3d27721%26DID%3d59269%26SID%3d&RR=http://www.this-isnt-personal.com/taf/tafnext.html&IDATE=11/13/2008; expires=Thu, 20-Nov-2008 19:17:01 GMT; path=/
    Cache-Control: no-cache
    Expires: -1
    Content-Type: text/html

  10. And now another, www.geniusinspiration.net.

    GET /go/sh_us_gs_txt HTTP/1.1
    Host: www.geniusinspiration.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: PHPSESSID=72eb039f0ffdab5255238ca36a7cff56

    HTTP/1.x 302 Found
    Date: Thu, 13 Nov 2008 19:15:56 GMT
    Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
    X-Powered-By: PHP/4.4.7
    Location: http://www.geniusinspiration.net/go/us_brain_txt?&&&ref2=gs_txt&ref3=sh_us_gs_txt&
    Keep-Alive: timeout=3, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html

  11. GET /usbrain_txt/indexhome.php?s=prsntm&ref4=896&ref5=981&ref2=gs_txt&ref3=sh_us_gs_txt HTTP/1.1
    Host: www.geniusinspiration.net
    Referer: http://www.this-isnt-personal.com/taf/tafnext.html?referring_friend=Henry+Joseph&name=Carrie+Newjeans
    Cookie: visit_date=November+13th+-+11%3A04+am; cookie_pagename=home; cookie_site=usbrain; cookie_domain=geniusinspiration; PHPSESSID=72eb039f0ffdab5255238ca36a7cff56

    HTTP/1.x 200 OK
    Date: Thu, 13 Nov 2008 19:15:56 GMT
    Server: Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
    X-Powered-By: PHP/4.4.7
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    P3P: CP=”CAO PSA OUR”
    Set-Cookie: visit_date=November+13th+-+11%3A15+am; expires=Sun, 16 Nov 2008 19:15:56 GMT
    Set-Cookie: cookie_pagename=home; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Set-Cookie: cookie_site=usbrain; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Set-Cookie: cookie_domain=geniusinspiration; expires=Sat, 13 Dec 2008 19:15:56 GMT
    Keep-Alive: timeout=3, max=98
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html

These interactions, the HTML from rotating-destination.com, and friends-to-friends-only’s disclaimer (phishes typically do not alert users by saying they are not phishes—note click-through syndrome) are strong indications that it is not a phish. I posted the HTTP headers if you’re interested.

Tags: , , , , , , , ,
Posted in security and cryptography | No Comments »