Elusive Facebook Phish

 Phishing Facebook

Recently I received a spam message from a Facebook friend of mine whose account had been compromised. I immediately spotted the scam by the style of delivery and reported it to Netcraft. I was intrigued to find more about the phish, so I visited it again. However this time I was presented with code 404 “page not found” - the difference being I had visited the phish from the full Safari browser rather than the built-in version within the Messenger app…

The phish was obviously using some technique to detect the environment, with the aim of being more elusive to avoid detection, and thus only served content in the situation where it was likely being accessed by a potential victim. Before I reveal how it does this lets talk about…

The Phish’s M.O.

Which is as follows:

Built-in Safari within Messenger
One of many destination pages
Full Safari App

How the phish avoids detection

When a browser makes a connection to a site it sends various bits of data to the site. One of those is called the User-Agent which typically contains: details about the device, the browser being used…

Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

When using the inbuilt Safari browser in Facebook Messenger it appends additional information relating to the App and more details about your device: (LightSpeed [FBAN/MessengerLiteForiOS;FBAV/335.1...). However, this behaviour ultimately reveals to the malicious actor that the site is being viewed through Messenger and so they should serve you the Facebook Phish.

Below are some examples of these extended User-Agents…

Mozilla/5.0 (iPhone; CPU iPhone OS 14_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/335.1.0.54.71;FBBV/327105523;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/14.8;FBSS/3;FBCR/;FBID/phone;FBLC/en-GB;FBOP/0]
Mozilla/5.0 (iPad; CPU OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/335.1.0.54.71;FBBV/327105523;FBDV/iPad14,1;FBMD/iPad;FBSN/iOS;FBSV/15.1;FBSS/2;FBCR/;FBID/tablet;FBLC/en-GB;FBOP/0]

But why?

Evading detection makes life more difficult for parties who might be able to take action against the site (and ultimately getting it removed) which prolongs the time the site is active and therefore can steal credentials from victims.

Automated systems that classify possibly malicious URLs are unlikely to visit the site with a Messenger-esk User-Agent and therefore would need manual intervention to confirm the phish exists. The User-Agent requirement puts up a barrier at each stage of the identification and reporting process. Entities like the host or registrar will need to independently confirm the fraudulent content exists and come to the same conclusion about the site.

To the outside world this site l1x[.]eu just looks like an instance of short.io’s URL shortener software with no active links, when in fact the entire domain been purpose registered (on the 30 July 2021 with NameCheap) to host these Facebook phish.

Subtle giveaways which identify a phish

Signs to help you avoid falling for such scams.

Copyright (c) 2024 Alex Barter