Friday, April 18, 2008

New Facebook Viral Phishing Scam


I just came across a very well made Facebook "viral" phishing attack.

A friend of mine sent me a Facebook message that suggested that take a look at a video:

"You need to check this out now, it sooooooooo funny, a monkey smoking a cigarette! HA!HA!HA!
It's on facebook videos here: http://funnycigarettechimp.info

lol!"

[note that clicking on that link as it stands will not bring you to the attack, it must be clicked from within the facebook message -- as well, the above message may be on of many variations this phisher might be using as templates -- if the phisher is really smart, he/she would do A/B test message templates on instrument for "conversion rates" on phishes...]

It was the perfect storm: I was brain dead the time before my morning coffee, lack of sleep, and the goof that I am, and also the trusted reputation of this friend of mine that was the sender -- who would normally never send me something unless it was insanely funny (how ironic), and the fact that I never really mentally associated phishing attacks -- I went on cruise control and clicked the link.

(side note: I suspect that most people tend to have a lower expectation for phishing attack [and spam], myself included, in the facebook world as compared to traditional emails)

The link pops up a new window (hint #1) with the facebook landing page exactly as it looks everytime my session times-out from Facebook, and asks you to re-login to the system (hint #2). I was going though the motions in auto-pilot punching in my user name and password (this was partly because I had left this facebook message window open for quite sometime, so I suspected it would have likely timed out...), then I realized that the URL looked legit with a proper icon etc, it said "www.Login-facebook.info" (major hint #3).

(side note: Login-facebook.info was registered April 7th, 2008 -- under a private listing with no contact info, clearly not a trust worthy domain)

After you punch in the user name and password, the site sends you to a YouTube video. Most folks probably would have watched the 30 second time waster, and carried on -- unaware of the fact that the phisher will now use the username and password in Facebook to carry out an attack via Facebook Mail disguised under your login info to send and share the same video to your friends list.

The real danger of this is of course not the spread of the video, but rather the fact that the phisher now has your Facebook password that contains your login email, your password, and all of your private Facebook information (i.e. your cell phone number, name of your friends, photos, inbox data, location/address -- all useful info for identify theft!).

Now my question is... what can be done about this other (highly lagged) phishing filters/blacklists built into browser?

A friend suggested that they could use SSL on the site, but its not like a regular user is going to care about a popup window that saids you're about to leave facebook to another site (i mean, you're leaving to watch a video or whatever), and when people see a new window post click with a facebook login, MOST people will go into cruise control and just punch in their user name and passwords anyways. So I'm doubtful SSL makes a difference here (its actually completely useless IMHO other than securing the data/contents between your system and Facebook)

... Regardless, Facebook Friends Beware of Phishing Attacks and DO NOT LOG IN via "Login-Facebook.com" or anything BUT a URL that contains "www.FaceBook.com"!!!