There is a new scam making the rounds on Facebook today. This particular scam is surrounding Facebook’s recently revamped Messaging product, which now gives Facebook users an opportunity to own a @facebook.com e-mail address. In the past, there were scams surrounding the launch of this product, which followed in the footsteps of similar Facebook scams: requiring Facebook users to authorize a rogue application, fill out a survey to earn the scammers referral money, and at the end, users would be redirected to http://facebook.com/about/messages
Today’s scam is different – users are now being phished for their Facebook login credentials:
New Facebook Phishing Campaign Spreading
The first instance of this phishing campaign (seen above) tries to encourage users to get their @facebook.com e-mail address before someone else takes it. The bit.ly link redirects users to a Facebook App (apps.facebook.com/xxxxxpage), which contains an iFrame that points to a compromised site that is hosting the phishing page.
Facebook Apps Page (Phish)
Facebook Application Asks For User Credentials
Once a user clicks Next, their information is sent off to the phishers, their accounts are hijacked immediately and their Facebook status is updated to try to scam their friends/family.
Phishers Continue The Ruse to Make It Seem Legitimate
To try to convince users that nothing “fishy” is going on, the phishing page continues the ruse, asking the user to select what username they’d like to secure @facebook.com. Once they hit Submit, they are presented with a fake confirmation page.
Fake Facebook Confirmation for @Facebook.com Account
There are multiple layers being utilized in this phishing campaign. At first glance, the URL hidden behind the bit.ly link is using a redirect via the Yahoo! Mobile Login page.
Bit.ly Details Page Shows Yahoo! Mobile Redirect to Compromised Site
The second layer is that the redirect sends the user to o-home.nl, which looks to have been compromised. It is possible that the website is running an unpatched version of WordPress, as the link above shows the payload residing under a ‘wp’ folder, which is a WordPress specific folder.
The third layer is that the o-home.nl site redirects the user to the final destination. Initially, the redirect took users to the apps.facebook.com page. Now, it redirects to a fake Facebook page hosted on a compromised website that looks virtually identical to the one that was used in the first example above.
Fake Facebook Page Hosted on Compromised Website
We have since seen the o-home.nl redirect users to two new pages located elsewhere. The first, a website for a DJ that has been compromised.
Compromised DJ Site Homepage
DJ Website Compromised, Serving Up Facebook Phishing Page
We are now seeing this phishing campaign spread rapidly across an assortment of bit.ly links and redirect pages.
Facebook Phish Spreading, Using Multiple Bitl.y Links
Different Site Used for Redirect to Compromised Site 'o-home.nl'
Different Site Used for Redirect to Compromised Site 'o-home.nl'
One of the first things we encourage our readers to do is to be aware of scams like these. Awareness is a crucial piece of the puzzle. Another is watching out for those friends and family members that have been tricked into these Facebook scams. Talk to them about it, let them know they’ve been scammed, tell them to change their passwords, show them how to remove the offending wall post and encourage them to warn their friends and family as well.
Facebook has recently added some safeguards to warn users of unauthorized access to Facebook accounts. You can modify your account settings by going to http://facebook.com/editaccount.php
Facebook's New Account Security Section
Under the ‘Account Security’ section, select ‘Change’ and select the checkboxes marked in the red area above. By selecting these options, you will be notified when a new computer or mobile device has logged into your Facebook account. With this Facebook phishing campaign, users would receive a notification similar to the one below:
Facebook E-Mail Notification of New Mobile Device Login
For additional security, you should also enable the Secure Browsing setting under ‘Account Security’, especially if you use public WiFi hotspots at coffee shops, libraries, and airports.