Obscuring malicious Facebook links using the Open Graph Protocol

Most users click on links popping up in their Facebook News Feed without thinking twice about it, but it’s good to keep in mind that they can lead to malicious sites.

Here’s an example of one flagged by the SANS ISC (Internet Storm Center):

obscuring malicious Facebook links

Perhaps it doesn’t look very interesting, but it definitely does not look outright malicious. Nevertheless, some of the users who followed it landed on a Facebook phishing page – an unambiguous threat.

How did the phishers achieve the semblance of a harmless link?

They equipped the landing web page with “Open Graph” tags that would create the illusion of a link to a YouTube page:

obscuring malicious Facebook links

“The meta “og:” tags will tell Facebook to display a YouTube logo (“og:image”), and the text “355,857 View” (“og:description”), making this look like a legitimate link to YouTube,” researchers and ISC handler Johannes Ullrich explains.

In this particular example, users who click on the link are firstly redirected to a smartURL, which detects the user’s location and device type, and then on to the phishing page or a random Wikipedia page (as it happened to Ullrich).

My own tests seem to indicate that the phishers are targeting mobile users, as I got a Wikipedia page each time I visited the smartURL link with my computer browser, but got the phishing page when I used Safari on iOS (by the by, the phishing page is still active):

obscuring malicious Facebook links

Also, it’s good to add that major social platforms – such as LinkedIn, Twitter, and Google+ – recognize Open Graph tags, so this same trick can be pulled to phish users of those platforms, as well.

Don't miss