Phishing by Open Graph Protocol
Open Graph Protocol (OGP) was introduced by Facebook to highlight shared links in social media platforms. Phishing attacks use OGP to deceive users into clicking links that redirect them to other websites. This blog post explains what the OGP looks like, discusses phishing attack research and finally lists some precautions to take against them.
Your Information will be kept private.
Your Information will be kept private.
The Open Graph Protocol (OGP) was introduced by Facebook approximately eight years ago to give users a way to have control over the appearance of links on social media platforms. Whenever you click the Share button on Facebook, or other social media platforms, you interact with OGP technology that makes shared links more legible and explicit. In this blog post, we discuss a phishing attack that used the OGP to deceive users into clicking links that rerouted them to a different website than they intended.
What Does the OGP Look Like?
Organizations configure their web content's OGP to catch the attention of their audience. For example, if we attempt to share the link of a blog post from Netsparker on LinkedIn, the OGP configurations on the website automatically display the image below.
If you want to tell LinkedIn which image it should use, what kind of content the user can expect and what title it should display, you need to use meta tags with a value in the property attribute that begins with og:. These meta tags, inserted between the <head></head> tags, make it easier for social media platforms to detect images and titles. There are many such tags, but the following four meta tags, listed and defined on the Open Graph Protocol website, are obligatory:
- og:title – The title of your object as it should appear within the graph, e.g. "The Rock".
- og:type – The type of your object, e.g. "video.movie". Depending on the type you specify, other properties may also be required.
- og:image – An image URL that should represent your object within the graph.
- Og:url – The canonical URL of your object that will be used as its permanent ID in the graph, e.g. "http://www.imdb.com/title/tt0117500/".
Here are the OGP configurations used for a blog post published on our website, Using GoogleBots as an Attack Vector:
<meta property="og:url" content="https://www.invicti.com/blog/web-security/using-google-bots-attack-vector/" />
<meta property="og:description" content="This article examines the latest attack vector to surface: using Google Bots." />
<meta property="og:type" content="article" />
<meta property="og:title" content="Using Google Bots as an Attack Vector" />
<meta property="og:image" content="https://cdn.invicti.com/statics/img/ogimage/Using-Google-Bots-as-an-Attack-Vector.png" />
This is an illustration of how the Open Graph Protocol methodology works on social media platforms.
Research on the Phishing Attack Using OGP
In research conducted by U.S. cyber security company ZeroFox, the varying rendering of the OGP across various social media platforms was evaluated to see how it could lead to phishing attacks. ZeroFox analyzed the visibility of the shared URL, and the URL in the OGP configuration, in the preview of shared links.
ZeroFox researchers compared the previews of the shared links generated by the OGP on platforms such as Slack, Facebook and Tumblr. In the proof of concept, the OGP settings of an article from space.com was added to the test website controlled by the 'attackers' (rocky-savannah-52596.herokuapp.com). The URL of this test website was shared on social media platforms to observe the behavior of the Open Graph Protocol when displaying the source URL in the preview.
Results of the Research
The results of the research revealed that some social media platforms display the source link in the preview of the shared content, while others do not:
- In Slack, the test website's URL was displayed in the content preview. However, the gray link could be overlooked by the user.
- In Tumblr, the test website's URL was positioned on the dark background of the OGP image.
- Facebook fails the URL visibility test, since the link to the test website is not displayed anywhere in the content preview. Therefore, the users will be deceived into thinking that the original space.com link was shared on the Facebook post.
Precautions Against Phishing Attacks
The research examples illustrated show how users can be deceived into clicking links that appear to be safe, only to fall foul of a phishing attack.
- The best security technique against phishing attacks is to observe the address bar of the browser.
- Social media platforms may take action against these types of attacks by ensuring that the information in OGP configurations matches that of the website. This would prevent redirects to unsafe websites.
Despite these countermeasures, attackers could check the User Agent value in the request header to their phishing website to discover whether the request comes from the OGP renderer or the victim. Depending on the source, the attacker may redirect the OGP renderer to the site it expects, and simultaneously direct the victim to the phishing website! This is why, as an end-user, you always have to be cautious and aware of your surroundings.
For further details on the research conducted by ZeroFox, see O Geez - Abusing the Open Graph Protocol.