{"id":9290,"date":"2019-09-18T17:07:24","date_gmt":"2019-09-18T21:07:24","guid":{"rendered":"https:\/\/www.ezrasf.com\/wplog\/?p=9290"},"modified":"2019-09-18T14:52:50","modified_gmt":"2019-09-18T18:52:50","slug":"manychat-api-and-suspicious-fb-chat","status":"publish","type":"post","link":"https:\/\/www.ezrasf.com\/wplog\/2019\/09\/18\/manychat-api-and-suspicious-fb-chat\/","title":{"rendered":"Manychat API and suspicious Fb chat"},"content":{"rendered":"<figure id=\"attachment_9291\" aria-describedby=\"caption-attachment-9291\" style=\"width: 376px\" class=\"wp-caption alignright\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"9291\" data-permalink=\"https:\/\/www.ezrasf.com\/wplog\/2019\/09\/18\/manychat-api-and-suspicious-fb-chat\/16782102211_f64ede5b60_o\/\" data-orig-file=\"https:\/\/i0.wp.com\/www.ezrasf.com\/wplog\/wp-content\/uploads\/2019\/09\/16782102211_f64ede5b60_o.jpg?fit=464%2C242&amp;ssl=1\" data-orig-size=\"464,242\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"16782102211_f64ede5b60_o\" data-image-description=\"\" data-image-caption=\"&lt;p&gt;&lt;a href=&quot;https:\/\/www.flickr.com\/photos\/92457334@N04\/16782102211&quot;&gt;&amp;#8220;apolitik_Magritte&amp;#8221;&lt;\/a&gt; by &lt;a href=&quot;https:\/\/www.flickr.com\/photos\/92457334@N04&quot;&gt;ApolitikNow&lt;\/a&gt; is licensed under &lt;a href=&quot;https:\/\/creativecommons.org\/licenses\/by-nc\/2.0\/?ref=ccsearch&amp;#038;atype=html&gt;CC BY-NC 2.0&lt;\/a&gt;&lt;\/p&gt;\n\" data-large-file=\"https:\/\/i0.wp.com\/www.ezrasf.com\/wplog\/wp-content\/uploads\/2019\/09\/16782102211_f64ede5b60_o.jpg?fit=464%2C242&amp;ssl=1\" class=\"alignnone  wp-image-9291\" src=\"https:\/\/i0.wp.com\/www.ezrasf.com\/wplog\/wp-content\/uploads\/2019\/09\/16782102211_f64ede5b60_o.jpg?resize=376%2C196&#038;ssl=1\" alt=\"16782102211_f64ede5b60_o\" width=\"376\" height=\"196\" srcset=\"https:\/\/i0.wp.com\/www.ezrasf.com\/wplog\/wp-content\/uploads\/2019\/09\/16782102211_f64ede5b60_o.jpg?w=464&amp;ssl=1 464w, https:\/\/i0.wp.com\/www.ezrasf.com\/wplog\/wp-content\/uploads\/2019\/09\/16782102211_f64ede5b60_o.jpg?resize=250%2C130&amp;ssl=1 250w\" sizes=\"auto, (max-width: 376px) 100vw, 376px\" \/><figcaption id=\"caption-attachment-9291\" class=\"wp-caption-text\"><a href=\"https:\/\/www.flickr.com\/photos\/92457334@N04\/16782102211\">&#8220;apolitik_Magritte&#8221;<\/a> by <a href=\"https:\/\/www.flickr.com\/photos\/92457334@N04\">ApolitikNow<\/a> is licensed under <a>CC BY-NC 2.0<\/a><\/figcaption><\/figure>\n<p>A friend&#8217;s Facebook account sent a message with a video link titled, &#8220;When was this video?&#8221; My hackles were raised because:<\/p>\n<ol>\n<li>I rarely get messages from this person.<\/li>\n<li>It reminded me of the <a href=\"https:\/\/www.ezrasf.com\/wplog\/2019\/08\/12\/fb-messenger-virus\/\">Is This You video Facebook Messenger<\/a> virus.<\/li>\n<\/ol>\n<p>If you clicked on either, then go to the link on #2 to get advice on kicking off the program with access to your account.<\/p>\n<p>I grabbed the link, https:\/\/mnch.at\/r?act=48a93ac45jkbhf455465548bc&amp;u=236764556620374&amp;p=112045350166462&amp;h=c2446617ed and had wget download the content safely. It took a couple iterations having it ignore the SSL mismatch and supply a &#8220;valid&#8221; browser user-agent.<\/p>\n<p>It looks like this new to me version uses a Web Bot service called Manychat to propagate. mnch.at is a short DNS name for it. That posts to the \/r URI with the act variable. That redirects to Facebook. Unfortunately, the Facebook HTML is obtuse to read, so I stopped here. I miss the days of hackers using simple HTML on compromised web servers.<\/p>\n<p>Being able to host it in Facebook makes it more difficult to discover what they are doing.<\/p>\n<p>If you go to manychat.com\/r, then it has a redirect to send your browser to Facebook. I&#8217;m thinking the hackers are exploiting the trust of manychat to get a way to come to Facebook in a way that looks natural to tools looking to block malicious traffic. Sneaky.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A friend&#8217;s Facebook account sent a message with a video link titled, &#8220;When was this video?&#8221; My hackles were raised because: I rarely get messages from this person. It reminded me of the Is This You video Facebook Messenger virus. If you clicked on either, then go to the link on #2 to get advice [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-9290","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1rUBW-2pQ","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/9290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/comments?post=9290"}],"version-history":[{"count":0,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/posts\/9290\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/media?parent=9290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/categories?post=9290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ezrasf.com\/wplog\/wp-json\/wp\/v2\/tags?post=9290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}