View All Phishing

‘Just applied for my own @facebook.com email account’ Phish Spreading

By Anonymous  •  March 11th, 2011  •   Phishing

There is a new scam making the rounds on Facebook today.  This particular scam is surrounding Facebook’s recently revamped Messaging product, which now gives Facebook users an opportunity to own a @facebook.com e-mail address.  In the past, there were scams surrounding the launch of this product, which followed in the footsteps of similar Facebook scams: requiring Facebook users to authorize a rogue application, fill out a survey to earn the scammers referral money, and at the end, users would be redirected to http://facebook.com/about/messages

Today’s scam is different – users are now being phished for their Facebook login credentials:

Facebook E-Mail Scam Wall Post

New Facebook Phishing Campaign Spreading

The first instance of this phishing campaign (seen above) tries to encourage users to get their @facebook.com e-mail address before someone else takes it.  The bit.ly link redirects users to a Facebook App (apps.facebook.com/xxxxxpage), which contains an iFrame that points to a compromised site that is hosting the phishing page.

Facebook Apps Page (Phish)

Facebook Apps Page (Phish)

Facebook Application Asks For User Credentials

Facebook Application Asks For User Credentials

Once a user clicks Next, their information is sent off to the phishers, their accounts are hijacked immediately and their Facebook status is updated to try to scam their friends/family.

Phishers Continue The Ruse to Make It Seem Legitimate

Phishers Continue The Ruse to Make It Seem Legitimate

To try to convince users that nothing “fishy” is going on, the phishing page continues the ruse, asking the user to select what username they’d like to secure @facebook.com. Once they hit Submit, they are presented with a fake confirmation page.

Fake Facebook Confirmation for @Facebook.com Account

Fake Facebook Confirmation for @Facebook.com Account

There are multiple layers being utilized in this phishing campaign.  At first glance, the URL hidden behind the bit.ly link is using a redirect via the Yahoo! Mobile Login page.

Bit.ly Details Page Shows Yahoo! Mobile Redirect to Compromised Site

Bit.ly Details Page Shows Yahoo! Mobile Redirect to Compromised Site

The second layer is that the redirect sends the user to o-home.nl, which looks to have been compromised. It is possible that the website is running an unpatched version of WordPress, as the link above shows the payload residing under a ‘wp’ folder, which is a WordPress specific folder.

The third layer is that the o-home.nl site redirects the user to the final destination.  Initially, the redirect took users to the apps.facebook.com page.  Now, it redirects to a fake Facebook page hosted on a compromised website that looks virtually identical to the one that was used in the first example above.

Fake Facebook Page Hosted on Compromised Website

Fake Facebook Page Hosted on Compromised Website

We have since seen the o-home.nl redirect users to two new pages located elsewhere. The first, a website for a DJ that has been compromised.

Compromised DJ Site Homepage

Compromised DJ Site Homepage

DJ Website Compromised, Serving Up Facebook Phishing Page

DJ Website Compromised, Serving Up Facebook Phishing Page

We are now seeing this phishing campaign spread rapidly across an assortment of bit.ly links and redirect pages.

Facebook Phish Spreading Rapidly

Facebook Phish Spreading, Using Multiple Bitl.y Links

Different Site Used for Redirect to Compromised Site 'o-home.nl'

Different Site Used for Redirect to Compromised Site 'o-home.nl'

Different Site Used for Redirect to Compromised Site 'o-home.nl'

Different Site Used for Redirect to Compromised Site 'o-home.nl'

One of the first things we encourage our readers to do is to be aware of scams like these. Awareness is a crucial piece of the puzzle. Another is watching out for those friends and family members that have been tricked into these Facebook scams. Talk to them about it, let them know they’ve been scammed, tell them to change their passwords, show them how to remove the offending wall post and encourage them to warn their friends and family as well.

Facebook has recently added some safeguards to warn users of unauthorized access to Facebook accounts.  You can modify your account settings by going to http://facebook.com/editaccount.php

Facebook's New Account Security Section

Facebook's New Account Security Section

Under the ‘Account Security’ section, select ‘Change’ and select the checkboxes marked in the red area above.  By selecting these options, you will be notified when a new computer or mobile device has logged into your Facebook account.  With this Facebook phishing campaign, users would receive a notification similar to the one below:

Facebook E-Mail Notification of New Mobile Device Login

Facebook E-Mail Notification of New Mobile Device Login

For additional security, you should also enable the Secure Browsing setting under ‘Account Security’, especially if you use public WiFi hotspots at coffee shops, libraries, and airports.

Tags:    |    |    |    |    |  

Comments are closed.