By: Julien Sobrier

Facebook Phishing: Manual Session Hijacking

Uncategorised

We have reported a number of Facebook phishing pages and scams on this blog. Attackers always come up with clever ideas to fool users in order to obtain their credentials. One of these phishing tricks is a "poor-man" session hijacking attack whereby the user is fooled into copying and pasting a Facebook URL containing the session ID or other credentials into a malicious page. I'll describe such an example that I spotted this past weekend.

The phishing page starts with the usual bait, a video. This time, no sex, but instead an opportunity to watch "Jackie Chan died after perfecting a deadly stunt. Jackie Chan falls from a building of 12 floors."
 
Jackie Chan died!
The user must click to verify his age, another common trick to get users to click on the page. This displays a list of steps to "verify your age" which involve clicking on another link, copying a link from the window opened, and submitting the data.
 
Steps to "verify" the user age
The new window points to Facebook. The window is too small for the user to understand what he is copying. Also, instead of opening a page, the URL used is "view-source:https://www.facebook.com...". This makes it one step harder for the user to understand that the window displays a page from Facebook.
 
Popup window open by the phishing page
When the user copies and pastes their Facebook URL into the 3rd party web page, they're also sending their authentication token used share content. Once this is done, the scammer can now post content on the user's behalf.

Fortunately, Facebook reacted quickly to this particular scam. The Facebook  popup is not valid anymore and it shows the following warning:
Warning from Facebook
When subsequently logging into Facebook after viewing the scam, I also received a warning about phishing pages:
Warning about phishing pages

It looks like Facebook has reacted much faster than they have in the past and added additional warnings for end users. I was asked by Facebook to review my timeline for any suspicious activating just after I logged in. Hopefully more Facebook users will learn about these phishing techniques and will be able to spot them early on.
 

Learn more about Zscaler.