Researchers at Trend Micro say attackers are actively exploiting a vulnerability in Android’s WebView browser in order to compromise Facebook accounts. 

The flaw allows the attackers to bypass Android’s Same Origin Policy (SOP), and impacts devices running versions of the operating system prior to 4.4. The vulnerability, CVE-2014-6041, was first disclosed in September by an independent researcher. But months later, the vulnerability continues to be exploited in the wild.

“The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser,” according to the National Vulnerability Database.

According to Trend Micro Mobile Security Engineer Simon Huang, the attack targets Facebook users via a link in a particular Facebook page that leads to a malicious site. The page contains obfuscated JavaScript code that includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page’s HTML has been set not to display anything via its div tag while the inner frame has a size of one pixel, he added.

“While these routines are being carried out, the SOP bypass is being performed,” he blogged, adding that a remote JavaScript file is loaded from a legitimate cloud storage provider.

The file, he noted, contains the malicious code of the attack and enables the attackers to perform the following activities on Facebook:

1. Add friends
2. Like and follow Facebook pages
3. Modify subscriptions
4. Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
5. Steal the victim’s access tokens and upload them to their server  at http://{BLOCKED}martforchristmas.website/walmart/j/index.php?cid=544fba6ac6988&access_token= $ token;
6. Collect analytics data (such as victims’ location, HTTP referrer,  etc.) using the legitimate service at https://whos.{BLOCKED}ung.us/pingjs/

“In addition to the code at the above site, we found a similar attack at <a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.%257bBLOCKED%257dphp.com%2Fx%2Ftoplu.php%22%3Ehttp%3A%2F%2Fwww.%7BBLOCKED%7Dphp.com%2Fx%2Ftoplu.php%3C%2Fa%3E%2C" Huang explained. "We believe both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app."

“The client_id involved in this malware was “2254487659”,” he added. “This is an official BlackBerry App  maintained by BlackBerry. We confirmed with BlackBerry and clarified that this malware is trying to take advantage of the trusted BlackBerry brand name and steal user’s access-tokens, which can be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of a person.”

Blackberry is working with Facebook and Trend Micro to address the issue. Google has already issued a fix for the vulnerability for Android users.

Tags:

• INDUSTRY INSIGHTS
• Vulnerabilities

A two-year study by Bitdefender sheds some light on the most popular types of scams on Facebook and who is falling for them.

The study examines more than 850,000 Facebook scams. Analyzing each of them revealed the following top five bait categories for attackers looking to hit users with spam, malware or other attacks: profile viewer scams (45.5 percent); Facebook functionality scams such as claims about adding a dislike button (29.53 percent); gift card/gadget giveaway scams (16.51 percent); celebrity scams such as death hoaxes (7.53 percent); and atrocity videos with subjects like animal cruelty (0.93 percent).

The report delves into psychological explanations as to why users fall for the traps.

“The most popular Facebook scam offers users the chance to see if they are still searched by a person for whom they may still have feelings for,” according to the report. “Their judgment tells them to avoid clicking on such a lure, but this rational censorship will come along with big emotional consumption. They often don’t even need to believe the link hides emotionally-important information, but they rather do it just to check things out.”

“There is also an additional element helping hackers to trick millions of users ever year,” the report notes. “The “profile viewer” message is customized, touching them on a personal level.”

Facebook functionality scams rely on the desire of users to make their image and experience better, while the giveaways play to greed – or in the case of giveaway scams aimed at gamers, competitiveness, Bitdefender researchers explain in the report.

“Though less present, the last two categories of Facebook scams are growing at a steady pace,” according to the report. “Celebrity sex tape scams and atrocity news (such as murders and child abuse) are attracting thousands of victims with every new campaign, as they also “include” alluring videos. In the attempt of creating a profile of the most gullible victims, Bitdefender’s behavior analysts discovered there is such a wide range of users falling for Facebook scams, that an exact profiling would be too restrictive.”

“In conclusion, anyone could fall victim to a Facebook scam at one point in his life, as cyber-criminals always pull the right psychological triggers.”

The whitepaper can be read here.       

Tags:

• NEWS & INDUSTRY
• Cybercrime