Phishers became more professional , using various ways to get users credentials, Facebook is one of the popular websites that is apt to such attacks.
Today i want to share with you guys this blog post concerning a malicious code that is widespread all over the internet. Recently I was tagged in a post by a friend on Facebook, so i checked this post and i found that it’s about a new method to “Hack Facebook accounts” as i wanted me too to hack some Facebook accounts ( lol :p ) i was curious on how can i do it, then i found these steps :
- First go to your victim’s profile.
- Select Inspect Element.
- Copy the code from this link : http://pastebin.com/raw.php?i=PwMMAP19(o_O).
- Now paste the script into the box given blow (Console).
- Press Enter and after 10 seconds you’ll get a message from your victim includes his email and password.
var fb_dtsg = document.getElementsByName(‘fb_dtsg’).value;
var user_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/));
In addition i noticed that the 3 last functions : [ Report(param), arkadaslari_al(id), RandomArkadas(), yorum_yap(id,param) ] appears to be obfuscated to make the code more disorganized using an easy method simply we have 2 arrays : _0xb161 & _0xa22c contains multiple elements hex encoded :
var _0xa22c = [“value”, “fb_dtsg”, “getElementsByName”, “match”, “cookie”, “1395443067381092”, “onreadystatechange”, “readyState”, “arkadaslar = “, “for (;;);”, “”, [……..] “status”, “close”];
I realized after that these elements are used to be implemented in the functions i already mentioned and passed around via a series of misleading assignments. Every time a function wants to use an element it sets a reference to it ( i.e : _0xa22c ==> “getElementsByName”). After digging around for a few minutes and coding a simple program to put each element in its place. Finally i got an organized and comprehensible code, Now it’s time to take a look to the tasks assigned to each function.
Deobfuscated & explained script here : http://pastebin.com/1hY0kwCk
We should now do a simulation of this process to ( get the victim email & password ohh i’m so excited ^^ :p) since we know what the code does & discovered the bad reasons behind coding this script. Besides once i executed this script following the steps above using a test accounts in an isolated environment to prevent any risky execution i got a strange behavior. The background of Facebook changes, a media player appears and auto-played, all the functions executed their tasks successfully, actual results was stealing your Facebook cookies and uses your account to like a series of pages,subscribe in a list, add profiles, auto follow,report a profile, Like and get tagged in a post. So the hole process results in gaining access to Facebook paths/sensitive Data.
Moreover i was searching for many sources on the net to get a similar sample. Then i found many codes with different audio links : http://picosong.com/media/songs/XXXXXX so i suspected that maybe it’s used to run a crafted mp3 files ( i.e : used to exploit a 0-Day in browsers) or to run some malicious binaries. worse than that, i found some Add-ons that is used to such ends but some of them are deleted like “Facebook Essential”, but many others still used for bad purpose.
It’s just a quick post, hope you like it.
Stay tuned …
email : email@example.com