Facebook has connected millions of people around the world. The social connector has become not only a medium for sharing but also a platform for third parties to nurture their businesses based on applications and games. Facebook pages, in addition, lets its users advertise their businesses among folks across the globe. Facebook pages (sponsored stories and ads) have become one of the best ways to spread the word about a business.
Popularity has its own side effects. The useful Facebook pages and applications have been misused by spammers, and the innocent public has to suffer. We came across a Facebook Page scam that was misusing the static html: iframe tabs to trick users.
The spammer creates a Facebook page: http://www.facebook.com/pages/Innovative-i-Phone-5-Testers/312680162106831?notif_t=fbpage_fan_invite
When a user comes across this page, “Loading” is displayed and then the page redirects to a pop-up. The redirection here is done using Facebook static html: iframe tabs. This is a useful tool that lets Facebook application developers build iframe tabs for pages.
The network traffic suggests www.facebook.com/apps/application.php?id=190322544333196
A useful Facebook application is being used here for malicious purposes by the spammer.
It is evident from the code (see Image1) that a redirection is happening to ‘heroku.com’ using http POST method. Spammers are using the domain, adding a subdirectory, ‘statichtmlapp.heroku.com’ and then further redirection is happening (see Image2).
Like ‘heroku.com,’ ‘statichtmlapp.com’ is also compromised and being used for further redirection to pop-ups, adding a subdirectory ‘raw.statichtmlapp.com’ and here again, encrypted information is sent to a compromised server using http POST method.
See Image3 for initial pop-up that is brought using the domains (fuwuzetr.info, utepuppy.com, wuizforcash.com, etc.)
If you are not from the U.S., the pop-up will further redirect you to another pop-up specifically for you (see Image4).
Eventually, the user is led to an ad page that looks something similar to Image5.
If you are not from the U.S., then you are led to an ad page that looks similar to Image6. It strengthens the idea that the spammer is using local servers based on territory to render ad pages.
The page is showing as if you are the luckiest person on earth. That is when the spammers ask for personally identifiable information, such as your e-mail address, zip code, mobile number, and other basic information.
The notable thing here is that the spammer is navigating pages using the single iframe URL.
Intention of attack
I have not experienced anything wrong with my Facebook account after observing the spam page. However, I’m concerned about the encrypted data that was sent to compromised servers. The user’s e-mail address and mobile numbers could also be used for future spamming.
The type of spam is a warning sign: Facebook users and third-party application developers alike must be on the lookout for similar pages used to trick innocent users.