The opengraphprotocol.org Web site is currently compromised and is redirecting users to rogue AV sites. Websense customers are protected with our ACE technology, which has real-time protection to proactively protect against this attack.
Open Graph is a protocol developed by Facebook that allows other Web sites to provide Facebook services directly on the site, such as having a "Like" button on the page. The opengraphprotocol.org site is owned by Facebook, but hosted by a third party provider. This is how Facebook describes Open Graph:
“The Open Graph API will allow any page on the Web to have all the features of a Facebook Page – users will be able to become a Fan of the page, it will show up on that user’s profile and in search results, and that page will be able to publish stories to the stream of its fans.”
Here is what the compromised code looks like on the Open Graph Web site. Our investigation indicates that every single page on the site is compromised with the same code.
The file ko.php starts a redirection chain that eventually leads the user to a standard rogue AV page.
The way that Open Graph is referenced on sites that use the API is that typically a link to the Open Graph XML schema is included above the header of the page. Here's a snippet of code from foursquare.com (which has not been compromised, nor will any user that visits foursquare.com be infected):
Users not affected
It's very important to note that Web sites that use the Open Graph API or reference a schema like the above example, will NOT serve malicious content to their users. This is because the schema link is an informational link only, it doesn't get loaded as part of the page, nor does it provide a clickable link to the user.
Facebook has cleaned up the pages. After we notified them it took them less than 10 minutes to fix the problem. Big kudos to their security team for acting so promptly on this!