Sunday, January 23, 2011

Following a Spammer's Trail

Yesterday, a friend posted an odd message to my Facebook wall. As soon as I read it I realized that her account was highjacked, probably by visiting a nefarious website.

This can happen when you click on a link that takes you to a website while you're still logged into Facebook. At this point, the nefarious website will exploit a vulnerability in your web browser and post something to Facebook on your behalf.

I decided to follow the trail. It started with a post that took me to (to be on the safe side, don't visit these websites). redirected my web browser to which lead me to

This is where things got interesting, at least from a technical point. Most people know that you can view a web page's HTML source code to see its details (View -> Page Source). This is the first step to finding out the "where and how" a webpage was created, and the source code is almost always human readable unless you're trying to hide something. Instead of normal HTML, the actual source of this page uses JavaScript encoding (called escaping).

This is what you get if you decode (unescape) the JavaScript:

This escaped JavaScript tells your web browser to create an HTML frame and display the contents of

After all these hops, you're now at This domain name is private, so you can't see who actually owns it, but you can find out that its IP address ( reveals that it's located in Russia. However, this isn't the end of the line, after a few more hops, you'll end up at a web page that wants you to enter your e-mail address so that they can send you a free iPad.

The trail ends at's servers (IP address running on a network leased to MPC Systems LLC which could be based in Delaware or perhaps Texas, depending who you ask.

Keep in mind that there are two parties (confederates) involved in this scheme which could be unrelated, but that's usually not the case. One party created the nefarious web page which posted their message to your Facebook wall, without you knowing, and the second party is located at the destination website ( which claims that it will give you an iPad for the low (free) price of giving them your e-mail address.

I wouldn't recommend giving them your e-mail address.

No comments: