Hello, welcome to the Monday, August 7th, 2017 edition of the Sandinand, Storm Center's Stormcast. My name is

Johannes Ulrich, and the day I'm recording from Jacksonville, Florida. Thanks to some of my Facebook

friends, I came across an interesting case of the use of the OpenCraft Protocol in order to better disguise malicious Facebook

links.

In this particular case, a link was posted to Facebook that appeared to be linking to YouTube,

but instead linked probably for the most part to a Facebook fishing page. In my own testing it only redirected me

to a harmless Wikipedia page. The Open Craft Protocol is used in order to indicate what

images and what additional text you would like to have displayed in case a user does post a link to your site on Facebook.

Now, the image, of course, can be anything. Same with the text. You just add additional metadata

tags to your HTML in order to indicate what image and what text to display.

In this particular case, the image displayed was just a YouTube logo.

It was identified as a video with some additional text, kind of indicating that this is apparently

an interesting video to watch.

To make detection even a little bit more difficult, all of this happened via Google.

There was a Google short link and then also the Google storage service was used in order to house the HTML that did include these malicious or at least misleading open craft attacks.

Now in my testing on Friday, the link actually stopped working on Facebook.

Facebook refused to let me post this particular link.

Probably they figured out that it is malicious by now.

Google still is hosting the malicious HTML and the

shortling is still working. I notified them on Friday. And Kerber Malver that has so far been

mostly known as ransomware is adding new tricks to its tool chest. Now in the the past, it just encrypted the systems and then asked for ransom to be paid.

Now, if it recognizes certain Bitcoin or cryptocurrency wallets on the system, it will exfiltrate them,

...