Our sensors (i.e. our digital media person, a rabid fan of Facebook) caught today some interesting Facebook private messages. One of such, sent by a “Friend” to about 100 contacts of hers, merely consisted in a domain name, as can be seen below:

Fortunately for Daniel, he did not know what to do with it (or he knew, but did not want to); yet other recipients may have recognized a domain name, and entered it in their browser’s address bar, out of curiosity. After all, that’s from Martha, and she usually sends rather funny links.

Of course, the link was not actually from Martha, but rather from a cyber criminal having compromised her account. Fortunately, unlike Martha feared (but one is never too careful, and Martha is wise), the link did not lead to a virus-loaded page, but to a “pharmacy shop” belonging to the infamous “Canadian Pharmacy Ring“, and registered at “Directi Internet Solutions” (the new name of the infamous EST Domains registrar). In a nutshell, a typical case of spam 2.0. But while spamvertizement has happened before on Facebook Walls, and worms such as Koobface did leverage Facebook Private Messages to propagate, to our knowledge it’s the first instance of spam being distributed via Facebook Messages.

Another point worth mentioning is that while to Daniel’s eyes (if we assume his reply was ironic), junglemix.in was obviously a domain name, it was not at all the case to Facebook filters. We have shown in a previous post how Facebook wraps all urls featured in messages, so as to retain control on the “clicks” performed by recipients, even if those recipients read the message from their regular email account. This one obviously went under the radar, most likely because it did not feature ‘http://’, ‘www’, and used a domain extension (.in) that is also a (very) common word.

The consequence is that although Facebook did react fast, deleting the messages in the Facebook boxes, those which have already reached the regular mailboxes of recipients (most people do have the “forward messages to my email” option enabled), are still there, unwrapped, so Facebook cannot deny access to the link. The downside for criminals, of course, is that it is not clickable.

The Koobface worm scouring Facebook since last July, and which made the headlines again this week, is certainly beginning to redesign the concept of “friend. ” The “acquaintance from high school you’ve never talked to since you added her/him” might now be the “acquaintance from high school you’ve never talked to since you added her/him and who occasionally sends links to sites loaded with viruses.”

While Koobface has redefined this friendship concept, it’s not the only thing: It’s redefined the URL redirection policy of Facebook.

Indeed, URLs used to be left “as is” in friends’ private messages — assuming that they did not lead to a malicious site, of course. This is the very reason why Koobface “first-click URLs” are a mere hop through a reputable site (Google Reader, Google Picasa…), which in turns redirect unfortunate users to the final, malicious site (Facebook is not going to blacklist Google, right?).

Now and then, URLs included in messages are being automatically wrapped up by Facebook, in the following fashion:

URL: http://www.example.com
Wrapped URL: http://www.facebook.com/l.php?u=http://www.example.com

The latter is called a “web redirector.” Upon clicking on the wrapped URL, users are “going through” Facebook before reaching the final destination (here, www.example.com). What is really the point in force-wrapping URLs in redirectors? Simple: Friends’ messages are not only sent to the recipient Facebook account within the site, but are also e-mailed to the recipient external mailbox (Gmail, Hotmail, Yahoo Mail, etc.). Wrapping URLs in redirectors therefore allows Facebook to track clicks even when they are performed from the recipient external mailbox.

In our precise case, this serves a security purpose: even once malicious messages have been successfully emitted, users happily journeying toward the malicious final site from their mailbox can still be stopped at the redirector level.

It does make some sense. One may very well wonder if the cure is not worse than the disease, however. Indeed, web redirectors raise multiple security issues, which have been known since at least 2003 and have many times generated indignation in the ranks of the security industry.

Simply put, open web redirectors allow spammers, phishers, fraudsters, scammers and other cyber criminals to “wash” their malicious links with the name of a reputable site, fooling URI filters and human users alike.

Indeed, wouldn’t http://www.facebook.com/l.php?u=http://my%2Emalicious%2Esite%2Ecom be more likely to be trusted than http://my.malicious.site.com? This is where it all becomes ironic: since precisely this redirector is meant to wrap malicious links, Facebook might be seen as unwillingly giving an edge to cyber criminals without the later ones even being aware of it.

Granted, when going through Facebook redirector, users are presented a message stating:

“You are about to leave Facebook to visit this address: [...] For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site.”

Let’s therefore grant Facebook’s the title of “semi-open redirector.” Yet, users are nowadays so much watered by warnings anywhere they click, that the efficiency of this one may be questioned. Besides, a base of social engineering (directly inherited from experimental social psychology) is that once the decision to perform the first click has occured, little events could reverse the process of commitment to reaching the destination.

So, automatic URL-wrapping, a good idea or a double-edged sword forced by Koobface’s pressure?