We’ve received multiple tips of a new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction.net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends.
The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
Subject: Hello
“Visit http://www.facebook.com/l/4253f;http://fbaction.net/”
We’ve contacted Facebook about the situation to see what it is doing to remedy this. In the meantime, be on the lookout for any link related to fbaction.net.
Update: And it looks like “fbaction.net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick.
Update 2: Here’s the what Facebook just told me about the attack:
We are aware of this phishing domain and have already begun to take action. Specifically, we have passed the domain on to Markmonitor who pushes the domain to the browsers for blacklisting. They will also actively try to disable the site at the server/domain level for people who don’t have updated browsers. Our user operations team has blocked the domain from being shared on Facebook and is removing the content retroactively from any messages. They will also be resetting passwords of senders to remove access from an attacker. We’re also reaching out to the ISPs to get information and will attempt to build a civil and/or criminal case against the owners.
Sure enough, as some commenters have noted below, it looks like Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious.
This is one of the problem I have with universal sign on services as facebook connect. What prevents a malicious website from creating a fake form and storing the username and password?
Nothing
that is why facebook connect always takes you http://www.facebook.com
Just need to make it look like the layer that pops up when you are logged in. 98% of users wouldn’t know the proper way it works.
There’s not much you can do….these crooks are smart people who does not do any good to the society…instead they spend enough time to make websites to look like Facebook to make every ones life miserable. Try using Firefox….most FF users report phishing ….
http://www.livbit.com
You don’t have to log in your info for the hackers to get your password. even if you click on the link
they get your password right away, how come face book doesn’t say that?
Yep, I just got hit with this, and feel silly for having done so. The ‘keep me logged in to facebook’ feature never keeps me logged in very long, so I’m used to having to relogin to FB now and then anyway, and I’m also used to firefox warning of phishing scams.
Shouldn’t there be a way to report phishing scams from the browser to up mozilla? Yes, there might be some attempts by people to label competitor sites as phishing sites, but reviewing for that sort of thing would help. However, this looks like it was probably too new for much to have been done about it, except for good old-fashioned common sense (of which I had a momentary lapse).
Your Browser (Firefox) probably can’t detect Phishing inside of the e-Mail Client of a social network such as facebook. It would probably perceive just as you did, “time to log in again”. My 2 cents worth change back upon demand.
It wasn’t in my email client, but after I clicked the link I logged in via the browser.
IE8 is already blocking the site as a phishing scam.
http://img520.i...hingblocked.png
firefox uses google or something for it, so its slower, i guess
http://img520.i...urlphishing.png
it also turns the address bar red, if you went as far as clicking through the warning page
“Shouldn’t there be a way to report phishing scams from the browser to up mozilla?”
There is: Help -> Report Web Forgery… reports right to Google (who is the provider for Mozilla’s phishing list)
Thanks – had never noticed that before!
The WHOIS info for the fbaction.net isn’t private , lol.
http://who.goda...prog_id=godaddy
“Registrant:
Robert Skizu
Email: rebortoskizu1980@gmail.com
Organization: Private person
Address: Park ave 12-32
City: New York
State: New York
ZIP: 125141
Country: RU
Phone: +1.8663250045 “
A six digit zipcode seems a bit odd though – do they exist?
And country RU?
Sounds like that could be fake info.
That said, if it is him – what an idiot. A candidate for “Stupid Criminals”
the whole address is bogus. there is no
address in new york that has the street first then
a building number.
I just received this message, as did some of my friends. We’re all in the Washington, DC area. This site was one of 3 search results for fbaction.net as I tried to find out who they are.
Is there a possibility that having visited fbaction.net (without logging in) could still expose me to a virus or anything else?
That’s why we write about it Franko, to let people know who are probably searching for it right now.
I think you’re safe just visiting the page, it’s signing in you have to worry about — at least from a quick glimpse of how it’s working.
Just a comment. I got the invite for the fbaction.net. I went to the site and did not login. This morning several of my contacts received an e-mail to visit kromked.net. At glance it only sent to a few of my contacts.
Anyone who would fall for this deserves to lose their facebook account, and possibly be weeded from the gene pool, too through involuntary sterilization. Stupidity isn’t compatible with the 21st century and the new world order. Stop complaining about recession http://iamned.com/blog/ keep buying stocks
they need msplinks.com
We need to do something at the ICANN level to smite these domains immediately.
be careful what you wish for
Just curious, what did those who clicked on it think they were going to see? What inspired the clicks? I mean, I don’t click on something unless it might interest me… Just wondering.
I saw a name of someone I recognized, and ‘fbaction.net’. I knew it wasn’t facebook, but thought (quickly) that it was some ‘community action’ sort of group (save the whales, etc) which I’m constantly bombarded with from ‘friends’ on facebook and other sites. I generally tune those out now, but thought this might have been a community-based site that used the FB connect login mechanism. Granted, this all happened in about 4 seconds of thought – but that was my thought process.
Gotcha. Cool. I get it. Thanks.
That is exactly the same vague thought process that flashed through my work-distracted brain as I clicked on that link. By the time I finished having the thought and realized I shouldn’t click, it was too late…
D’oh! Sucks.
Me three. Ugh.
I just got one as well. It was sent by a friend to nearly 25 people.
I replied back with this post to everyone to avoid anyone clicking the link.
Facebook is now blocking the link.
http://www.face...ff612e342384604
Nice.
as is IE8
You’ve got to love phishing, it’s the same attack they’ve used countless times before with ruthless efficiency.
Since Facebook blocked the link, I got one with the cunning “visit fbnation dot net”–which prompted me to check it out before I did, whereas I may have just clicked on a link without thinking. Small favors?
It’s time for Strong Authentication! (something more than a password)
Imagine if a traditional criminal gains access to your FB account.
Status update: “Enjoying the French Riviera”
Reality: Enjoying robbing your house.
He can know where you are, what you are doing (right now), your friends, interests, etc…
Give me something to better protect my account!
Is there anything I should do since I did sign in, & the link was sent to all of my friends?
Go to http://www.phishtank.com and report it there – that updates opendns which will block this site for everyone using opendns
Lol….owned.
I never logged into that site, never gave them my password, yet had the message sent to me, and then my account sent it out to over a hundred people, emailing twenty at a time.
Well, if you had gotten a virus through the website, which is not unheard of, they could have gotten the cookie off of your computer. I would log out and log back in, and then go change your password.
So, I feel for it to, what do I need to do now?? I changed my password already does that help? Do I need to do anything else?
Looks like the domain is purged already, I wonder who this ISP is. If its godaddy, they are pretty fast to pull the plug on ish like this. Whois reveals a park ave address probably a false one no doubt
yup yup it’s all gone. a flash in the pan.
http://www.face...?id=72490095659 is the about page for a Facebook app I developed called QuickLook. If you check it out you can get an idea of some of the info of yours and your friends that every Facebook app and every Facebook Connect app can see.
And stupidly, you can’t post this warning to your Facebook profile!
I just fell victim to this earlier. What does this do, other than send the message to my friends? Does it infect my computer in any way??
it remembers your user name and password so they can access your facebook account.
Someone asked what the thought process was for those who opened. For me, it worked like a charm…the sender was someone from high school, on the frige of friendship who is always sending those “let’s save the world together” type mass messages. So, bored, I clicked to check what his latest plight was. Lesson learned.
I just did a whois lookup on fbaction.net and it came back saying that domain was unregistered. Any thoughts on that anybody?
Have you noticed that there is a mistake in the site? All links link back to the regular facebook links except the green Sign up button on the top left
If you want to do it good than do so
Anyone who falls for phishing like this is a dumbass.
Yay IE8
I’d like to say I would see this coming, but I don’t think so.
This is an old PHISHING METHOD. Just like in FRIENDSTER.com
The way I avoid this is I use sxipper to pop up a login button for me to log in with my username and password. Any site it redirects me to won’t pop this up unless it’s strictly facebook.com. I hope at that point you or I will catch on that you aren’t actually on facebook.com and be like WTF why isn’t it letting me auto login?
There is another one almost similar to fbaction, its Kromked.net.
Just wrote about it here.
It infact refer the user to another site with a capcha box. People are reporting to be getting messages on facebook to visit this site.
Today it is fbstarter.com
Don’t log in to Facebook from the link fbstarter.com
just got “Look at this” link to Fbstarter.com
why do they want to have my facebook passoword anyway?…so they can talk to my friends from primary school?!
I would expect more attacks… especially with the whole Facebook currency now.
I received a message from my friend “Look at this” and there was a link fbstarter.com. I didn’t know and so I opened it. However, it showed that the page wasn’t found. Should I change my password anyways?
It’s now being spread as “fbstarter.com” with a subject line of “Look at this!”
I am looking for someone to connect with who is not superficial and hung up on looks and perfection. I have a genetic anomaly which runs in my family. Adolf Hiter also had this same anomaly involving his oui-oui. Please contact me if you want to hook up! Mike Masnick, Techdirt CEO
Got the “Look at this!” message and went to fbstarter.com. Entered fake username / password credentials (without logging out of my own facebook page) and it sent me to my own facebook account.
It should only “phish” the username / password I entered on fbstarter.com & NOT my real fb account, correct?
(I changed my fb password already, just in case)
almost got me!!!
new fake login site was NOT FBaction.net:
kromked.net
DO NOT LOGIN!!!!!!!!
New phishing attacks!
List with affected domains:
http://fleeex.b...n-fake-6169547/
Is anyone unable to conect to facebook