In this article we are going to show how we can execute a cyber attack in our facebook accounts with the help of teachers. Exploiting a vulnerability in the Ad system of Facebook we can execute a phising cyber attack according to a teacher of a web security course. The conversion task of a phising attack is very high. And you can easily hack once you have arrived to the objective. In this article we are going to show you how to execute this kind of attack. We will use local Ads and local victims. We will use our postal code, age and we will configure it the way that the ads will only be shown to the people connected to the Facebook page.
We are going to prepare and execute an Ad in Facebook and the URL of destination is espn.l1dh.com or http://goo.gl/UssPDm and we fix the URL to www.cnn.com or ctvnews.ca.
The advertisement’s domain will be seen as www.cnn.com or ctvnews.ca that is known as a news organization with a good reputation. Therefore, a few people will doubt before clicking it.
Therefore you will notice that this is very similar to ESPN, not like a CTV/CNN. Moving to the last page we see the inevitable Ads for the supplements.
The webpage looks like ESPN and the player is guaranteing this supplement. At the bottom part of the site we can see the “social evidence” of teh people recommending the product. This will give the people more trust on staying in the website, says the teacher of the web security course.
We are going to amek a quick search on reversed image to see if these persons are real. Charles barrott will be our objective of our search:
This will reverse the search in google of that exact image. Here we got the results and in the image appears Sam Muirhead, a film director. So it means that we created fake accounts to recommend the site.
This shows clearly that the hackers have discovered the way to play with the facebook system with the objective to publish advertisements that are supposedly to bring us to (ctvnews.ca) and in the end they bring the people to a different place. Not only that, they even repeatedly use commercial names, terms and fake information to sell the products. According to the experts of the web security course, this violates an amount of advertisement policies of Facebook. It also can be used a malware of ransomware or a spear phising page.
How to make an analysis of this kind of attack?
Copy the URL of the Ad. Instead of clicking the link, right click it and copy it on a text editor.
Its a big disorganized URL, and if you see all of the little %’s will mean that the URL is coded. According to the the web security course experts, you can easily find a URL decoder online that can help you to check if the URL is real and you will see this:
https://www.facebook.com/a.php?u=http://goo.gl/UssPDm&
The first part is an adversitement controler of Facebook, and part in black letters is the destination URL where the victim willa rrive after cliking it. We have cut off the character “&” so we only have the shorten URL of Google. This will bring us the next step of our investigation.
Analyzing the shorten URLs of Google.
The shortener URL of Google works like any other shorten service like bit.ly. You go to the URL and it returns you a little URL. The good thing is that the URL shortener of Google is that it gives you analythics so you can see how others access to the shorten URL and how many times they do it.
Then, how do i find this amazing analythics?
You only have to add .info until the end of the shorten URL and it will bring you to a page where all the data is.
Therefore we can see that there were 26.812 clicks through this URL and if you pass around the ring graphic we will see that 11.246 arrived from Facebook. This is a huge amount of clicks. The “unknown” clicks could be that the navegators do not send HTTP information. What we see in the activity graph is that the analysis only recorded data for a shor time before stop. On Facebook’s defense, this can mean that they detected this fraud or someone reported the Ad. It could also be that the scammer eraned enough money and decided to stop the campaign and hack enough users.
We also see that the destination URL(that is dead at this moment) is:
http://dftrack6.com/?i0g51dkl&s1=sc_hgould_ca_ll
In this case, we dont have enough proof to prove that we found a fraudlent destination site, but if oyu are looking for the dftrack6.com domain, you will see that it looks suspicious.
The main point gere have been proven: hackers can create advertisements that appears to bring us to legitimate places, and then they could bring themselves a lto of clicks by doing this to their destination sites and execute a malicious code, said the web security course teacher.
Source: https://medium.com/