This afternoon I found out on my news feed this post:”A sexy girl is playing with the Nintendo Wii.. lets see what happened next !”. I was pretty curios to click on it because I knew this Social Engineering Trap. It is a classical one ;).
So lets click on it using a right click and save the link on memory. Then paste the grabbed Link on a empty browser url and lets go there seeing what will happen ! The crafted page seems very very close to the orignal youtube one, except for the URL (of course! )
If you go to its address (http://www.assurdo.info/w/wii.php) you can easily find some inconsistencies for example: the loading bar appears to be half loaded as soon as you open the attack’s link, the commands (Play, Stop, Pause) dont work at all (of course it’s a simple image!) and an unusual sentence says: “To play the video click Here”. Here we go… another clickjacking site ! I’ve already wrote about clickjacking in several forums, blogs etc. But if you are not familiar with this technique please read my last paper on this topic here.
Following the main HTML code, we meet the core of the attack. The following image describes the second half of the page.
A classic iFrame is used to hide the backgrounded page. I made the same example at DEISNET page, please take a look to them to fully understand how the iFrame hides the backgrounded page.
This trick is widely used in the underground communities to obtain fake clicks to get money from pay-per-click services. The script per-se does nothing bad at all to the attacked user, but it forces you to open a page generating traffic, clicks and page impressions on a URL where you wont click on it. Google and other advertisement companies recognize the click behavior and this techniques is the most used way to fake those services, since the click behavior is not altered from the usual one, respecting the normal click behavior stats.
So if you fall into this attack don’t worry, you don’t need to change password, you have contributed to a click fraud.
A possible way to counterattack is to make several click on the link the attacker used (http://bit.ly/fCT54Z). By voluntary clicking on it you will change the “normal clicking behavior” which means Google and other adv services will close the attacker adv account. Now is up to you 😉