Phishing Scam Targeting Facebook Users
Duncan Riley
33 comments »
We’ve had two separate reader reports of a Phishing Scam targeting Facebook users.
The scam involves a notice appearing on the wall of user profiles as a message from a friend, saying “Hey, I got a new facebook account. Im going to delete this one, so add my new profile” then with a link that appears to be a link to the new profile. The actual link goes to a URL on view-facebookprofiles.com, a domain registered (and whois protected) on Namecheap and hosted at Softlayer that looks identical to the Facebook login page:
Users fooled into resubmitting their Facebook details on this page then have their Facebook accounts hijacked and all of their contacts receive a similar message, propagating the phishing scam.
It’s not clear yet exactly what the phishing scammers are planning on using the compromised accounts for, or how far it has spread. One tipper claimed that many of his friends had been caught as well.
This isn’t the first time we’ve seen phishing on Facebook, but certainly it could be the most well co-ordinated and widespread attack so far.
Obviously if you see a message in Facebook similar to this, it’s a trap! If you’ve been caught or have shots of this thing in action, send us an email or leave a comment.
Hey, if this becomes common we already have a great name for the phenomenon: Farcebook sites!
Thanks, I’m here all week
What malicious activity could someone do with your facebook log-in info?
Aside from deleting your friends and messing with you.
There’s no financial incentive, like their is with getting someone’s banking or paypal info.
It’ll still annoy people enough, just like it did with MySpace, and drive them away.
Some people are just fucks.
It begins and now it will never stop. PayPal, ebay, and many many more have been slammed with phishing.
I wish Web browsers would do more to thwart this kind of stuff. Try *something* to help the average Internet user out. How about if an input tag of type password appears on a page that you’ve never submitted to before AND you navigated to the site by clicking on a link rather than typing in a URL, force a pop-up window that says “WARNING: You never sent your password to this site. Are you sure you want to continue?” And make the warning obnoxiously big.
probably the scam is to install some crappy facebook app to boost it’s stats
@Adam Hyman
congrats on being security conscious. I’m glad you don’t use the same login credentials for multiple sites.
But for some people, you get their facebook, you get their email. You get their email, you get their bank, etc…
I do not understand the popularity of facebook … Creators must be rich
facebook (and others) need to offer optional browser plugins for users… they can call them “security guards” that will establish an address bar color (?? something in the address bar) that only the user and the plugin know (facebook doesn’t even need to know, lest they accidentally publish it in an RSS feed or some other confounded blunder they manage to fall face first into). Not on the page, like the giraffe the bank shows you when log into your savings account, but in the address bar, like the security validation color we get on some browsers. I think there’s value in getting it ingrained in peoples minds that the only place you can trust is the address bar… if you were just logged in and all of a sudden being asked for your credentials again, be trained to notice the address bar is no longer blue (if thats the color you pick…). This “training” will eventually become a part of human evolution and people will be born to recognize a phishy URL.
The scammers are building a massive and shadowy PokeNet. And now you’re in their sites, Duncan. Next time you log in, there will be a MegaPoke (poke*10^6) waiting for you!
Are you guys stupid?
Step 1: Phish accounts
Step 2: Create program to auto login to said account and post a ‘new link’
Step 3: Have said program run down the list of the thousands of accounts, Posting stuff like “OMG I CANT BELIEVE I ACTUALLY GOT A FREE IPOD!! CLICK HERE AND DO IT !!!”
Step 4: Profit
Get ready for captchas all over the place on facebook. (At least thats how it went down on myspace)
@kevin
yep, i received a message from an acquaintance who i do not regularly talk to last night — i thought he was just being dumb and spamming me.
here’s the message with no links, but the site appears to redirect you to wherever they want you to go (originally ringtones, now pharamacy):
“i think i already told you but incase you forgot, you gotta see all the thousands of ringtones over at http://www.******.com i just got 20 free from them into my phone and i plan on getting more, they got all the songs i ever wanted and best things is, they don’t rob your wallet for each song like the mobile provider does. they download right into your phone in seconds and best of all, no big nasty bill at the end of the month. be smart and save your money, hit them up now like i did at http://www.******.com”
Sometimes I feel like the people who fall for these things got what they had coming. If they’re not smart enough to look at the address bar before submitting info, maybe they deserve to have their info stolen.
I know that’s not true, though, because my bicycle got stolen while I failed to lock it up. Same principle.
Oh well, people just need to learn to be more careful, and pay attention to what’s going on around them.
As a side note, whenever I see a phishing site like this, I like to give them fake information. Like an email address like youguysaredorks@geekville.us, and a password like IHopeYouGoToJail.
Don’t forget that plenty of people put a TON of personal info in their Facebook account: email addresses, cell phone numbers, home addresses, plus all that juicy demographic stuff like gender, relationship status, etc.
These phishing sites not only get your contact info for various types of spam, but they can then offer detailed demographics to their shady penile enlargement customers, to better target spam, telemarketing, etc.
And, of course, @kevin is right too.
Facebook is awful. Can we just admit that already? I went through all this before with Myspace in 2005. Learn how to build your own site. Write some clever code, it takes a couple of hours to learn.
In this instance, it’s appropriate to DOS the phishing site to ensure users won’t be able to get to the site. Maintain the DOS so that it will hurt the phishing site financially. At which time the host provider will have to get into the picture to take the site down and notify the owner. And of course the owner is not in the U.S. =) Must be from India or China. hahaha =)
Thanks for the warning…this looks like a great site for tech info!
The website doing the actual harvesting is join-today.net registered to a company in China. view-facebookprofiles.com is just an external frame.
DOS is never legit, fool. The site may be hosted on a shared ISP.
Personally I dont give a damn because Facebook is the hipster thing of the net, claiming to be something cool while it is actually more mainstream than anything.
Yeah, it’s exact the same as facebook. When first time I visit the site, I think it is the facebook. Thank you for warning. Whatever, facebook now is so popular that a lot of guys wanna make money from it. But how facebook make money except the ads.? I don’t see it….
The problem is that thanks to Facebook’s cackhanded attempt at turning us into unwilling PR slaves, plus the prevalence of application span, you’d be hard pressed to distinguish spam from a compromised account than something your real “friends” might send you.
As to the point of gaining access to a Facebook account, well, Jaymon wins the prize. Since a lot of people use the same passwords for their Facebook and email account, and your email address is also your Facebook login, you’ve got a free pass to go into their email account and start rooting around for bank details and password reminders.
Agreed, DOS is NEVER EVER appropriate or legitimate.
I wouldn’t have fallen for this…
…because Firefox’s Phishing Alert immediately goes off when you visit the page.
Do people turn that feature off, or are most of the people being phish’d not using Firefox?
Like it or not, anything that is valued by an individual can be valued by an attacker. There are plenty of reasons to phish a social network account beyond retrieving the end-user e-mail account. Individuals a high value on their online presence, and will likely even pay money to retrieve a compromised account. Another use of the account is to generate spam and phishing targeted at the compromised account’s friends to further propagate the attack.
I think they could fix this by monitoring the accounts that have updated the email address recently, then looking for the embedded links.
What I want to know is, why the even let you change the challenge question?
I’m ashamed to say that I was caught in this one, and I’m fairly vigilant about that sort of thing (fist time for everything).
Whats interesting was that the domain “view-facebookprofiles.com” was actually a front for another host (used an iframe) named join-today.net that when I search it is showing up in several different sites and has been around for at least 6 months. The actual path was join-today.net/face.
If you do a search for “join-today.net” you will find at least two or three others. The ISP that hosts join-today.net is in China and I can’t speak chinese… however if someone could get on the horn with them, you might be able to recover and at least terminate that host.
I did make a small attempt to find the hackers control script but I’m just not up on that technology… that was about 10 minutes after I got nailed. The though was that its going to be writing all that data to the server and if I could get in I could save a lot of people some headache by deleting the capture file.
@Don Jones
I’m Assuming that your at least as intelligent and observant as I am
I used to think the same way… so you keep thinking that way, and one will eventually get you as well…
I would really love to know if there is some sort of secret ninja society hunting these guys and shutting down their servers. Sign me up!
I think the idea too is that a lot of folks use the same password for multiple logins… so if they know your FB password, it is possible that will also be your email password or tied to other high value credentials.
All the information you would need to get a credit card or buy a car (maybe even get a passport) is on facebook. Full name, birthday, address… Where they work and phone numbers are just bonuses.
I got one of these messages on my wall last night. It appeared to be coming from a friend. It stated (I have removed most of the address):
lisen she’s ma new friend add her up and give her a lil time as she is new here
her profile is at
http://www.facebook.com. . . .
I clicked the link and was directed to a login page, at which point Firefox warned me that it was a scam to get my information. I looked at the profile’s of a few other friends of my friend who had been scammed, and saw that very similar messages had been sent to some of them. I left warnings for a few of them about the scam. I tried clicking on the link in IE also, and found that IE does not warn that it is a scam. It’s a good thing I was using Firefox at the time.
yeah, i got the same last week and i clicked it. got hit a bit but then changed my password and deleted all applications and a lot of friends.
My msn was also being logged in from some other computer and it is no related but from a computer than had some software that recorded keystrokes. phisfing software in another country was the origin.
these ppl make online really fun!