Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: What's not to Like about "Like?" - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's not to Like about "Like?"

"Get off of my lawn!"

I admidt that I have a suspicous, curmedgeonly streak. I view every new feature-update from Facebook like like it's a vulnerability announcement from Microsoft. I'm concerned not only with what the people behind Facebook may be planning with a feature, but moreso with how other groups might repurpose that feature. The recent expansion of the facebook API is one of those things that gives me concern.

 

What happens when you click "Like?"

When you click the "Like" there's an announcement of this activity on your wall, and it's added to your "Likes" section. People who have common likes can see each other, but only as much as they would share with anyone else who had their Facebook username. That doesn't sound so bad.

 

What are people "Like"ing?

Normally, a Facebook user could create a group or page to support a product, business or idea such as: Rock Music, Gibson Guitars, or Billy-Bear's Bean Shop. With the update of the Facebook Platform (http://blog.facebook.com/blog.php?post=383404517130) now third party websites can place a "Like" button on their website. Is this a problem? If I like Nike shoes, why not like nike.com itself?

What has been triggering my spiedy sense is over the past couple of weeks, my facebook event log has been filling up with people "like"ing third party pages that are simple messages like: "like if you want a long lasting relationship:)!" or other simple plattitudes. The first thing that attracted my notice was that they were often mean-spirited, hateful, or had some sort of -ism in it. These were surprising messages to read on a friend or family member's page, so I suspected some sort of hijack or other foul play. Unfortunately I haven't turned up anything to support that theory, my frienda and family, are just mean people I guess.

There are a handfull of sites that have been recently set up to take advantage of this new feature in the Facebook Platform. Some that I have seen used recently are:

  • golikeus.org, 19-JUN-2010, privately registered
  • likealike.co.uk, registered 23-AUG-2010, privately registered
  • phrasely.net, registered 26-AUG-2010, privately registered

Each supports a user-created message feature where Facbook users can set up their own message and try to get as many folks to join as possible.

Recently they've updated their posts so that when the "Like" message appears on the users' wall the source is obfuscated behind a heart or musical symbol. I saw one that was even hiding behind a bit.ly link.

So other than the domains being recently registered with no contact information and the simple obfuscation, what evidence do I have that there's evil afoot? None, other than it fires a lot of my rules of thumb I've acquired over the years.

 

One last example.

This week, one of my family member's had this message pop up on my wall:

"WOW, This GUY Went A Little To FarWITH His REVENGE On His EX GIRLFRIEND! (shocking)"

I was certain that they'd be compromised this time. I set up a system and followed the links, capturing pcaps, just waiting for the prompt to download the fake video codec or whatever boobytrap they had waiting for me. The domain, shocking-revenge.info, was barely a day old, and the links went off to pull down content from other free-hosting providers. It had all the hallmarks of a psychological exploit. So I kept clicking like a sucker waiting for the big reward.

It never came.

Just more advertisements, and whoever's behind it has a nice bit of demographics for marketing purposes and a channel to distribute more lures and ads.

 

The Impact

So the short story is that there's nothing overtly evil about "like" links. I also don't see shadows of some large privacy violation or exposure when you click the "like" button on Facebook-hosted pages or sites that you trust.

However I do see some risk to clicking on un-trusted third-party "likes"; not because I have any hard data from any cases, but because I've seen this movie before, and I will see it again.

I'm just disappointed that I have friends/family with *isms. I was really hoping it was malware.

Kevin Liston

292 Posts
ISC Handler
I've never understood the big deal about facebook, myspace, twitter et al. I've had numerous people tell me that I need to have (place name here). My typical reply is why? When they tell me why, I typically give them a couple links and ask again why? Not one has ever been able to tell me why after that.

I taught the 7 year old daughter how to make a page of img tags, gave her space and a url on the server, she's rarely come to me saying I need this or that, when she does, I show her a much safer alternative where her/I control the flow.

If my 7 year old daughter can do this, anyone can. There's more free webspace/chat/you-name-it out there than you can shake a stick at ... why in the heck does anyone need facebook/myspace/twitter et al? Cause it's the new pink? Not a good enough excuse in my book.

oh ... let's not forget email for keeping in touch with family and friends.
Greg

25 Posts
The reason you need it is...

Well, you don't really *need* it. Rather, the reason it works for so many people is that it is a pre-built community and can take far less work to update and keep relevant than maintaining ones own site would.

That's the perception, and so that's where people flock, and that becomes where it is easier to reach those people, etc.

And it is easier to keep track of people beyond immediate family and close friends. (I'm not sure that's good or bad. <g>)

As for the potential for malicious links, I'm sure that they are there. Probably waiting for enough people to start using them first...

-ASB
Greg
10 Posts
1) If other sites start using "like" buttons, it will be a reflex for many users to click that "like" button (even if that button is the malicious link users are proverbially tricked into clicking).
2) But just wait until Facebook institutes a "DISLIKE" button. Anyone and everyone will be clicking on it left and right! (Currently there is a dislike button that can be added for Firefox users, but only other Firefox users will see the "dislike" stats; plus some scams were tricking people into taking needless surveys to be redirected there). When Facebook itself institutes a "real" Dislike" button, i will be one of the first to wear out my mouse clicking on it constantly :( Ripe ground for the bad guys to harvest...
--roseman
Greg
12 Posts
I read this diary on Google Reader, and this made me chuckle (in lieu of screenshot):
-------
What's not to Like about "Like?", (Sat, Sep 4th)
3 people liked this
-------
oleksiy

34 Posts
I read this diary on Google Reader, and this made me chuckle (in lieu of screenshot):
-------
What's not to Like about "Like?", (Sat, Sep 4th)
3 people liked this
-------
oleksiy

34 Posts
I was delighted to find this article here but was hoping for the big payoff too. I found a bunch of these posts on my friend's walls on Facebook and it smelled fishy to me too. I didn't capture traffic and pursue it in the way that you did so I was glad to read about it. But there is one aspect of this that I think that you might make clear - none of these &#9829; posts are actually posted with the knowledge of the user. I polled my friends and family members and none of them knew that they had posted this.

So I'm glad to hear that (so far) it's just advertising and demographics logging, but it still qualifies as evil to me because it's happening without the user's consent.

I posted instructions to my wall about removing the like and cleaning your wall posts and encouraged anyone who saw one of these to contact the person and make them aware. It was amazing how quickly they stopped showing up within my circle.

Thanks for the article.
Tim

3 Posts

Sign Up for Free or Log In to start participating in the conversation!