Yesterday a phishing scam spread across Facebook in the form of a message form a friend asking you to click on a link which took you to what appeared to be a Facebook login, but was actually at a different URL, http://fbaction.net. It was quickly blocked. But now there seems to be a new one linking to http://fbstarter.com/. It comes in the form of a message from a friend telling you to “Look at this!” When you click on the link, you are taken to what appears to be a Facebook sign-in page. If you go ahead and sign in, the phishers have access to your account and can then send messages to all of your friends.
I just got one of these messages. It looks like this:
Joshua sent you a message.
Subject: Look at this!
“fbstarter.com”
And fbstarter is hyperlinked.
If you do sign in by mistake, the best thing to do is to change your password as quickly as possible. Make sure you are signed into the real Facebook when you do that, however.
Again, it looks like this phishing attack is very successful. Right now “fbstarter” is the No. 1 hottest term on Google Trends.
I have alerted Facebook to this attack.
Update: Facebook is on the case. They just sent me this update:
We’ve already blocked www.fbstarter.com from being shared on Facebook. You’ve probably seen what this looks like but I’m including a screenshot. Now, we’re deleting that URL from walls and inboxes. We’ve also blocked access to the URL so if someone does find it on Facebook (on their wall, in their inbox, or in an email notification) it won’t send them to the destination. Finally, we’ll automatically reset the password on any account that sent the malicious link. Thus, the data becomes useless to the bad guys very quickly.
In addition, we work with MarkMonitor (they made an announcement today). We send them URLs and they get them added to the browser blacklists and work to get the sites taken down. I’ve included a screenshot of the warning from Firefox that resulted from their work on the phishing attack yesterday (fbaction.net). They got that site taken down, too. Today’s site (fbstarter.com) has been down most of the morning. MarkMonitor and Facebook are watching it closely, though.
just got a message, close one.
Is it related to malware? I guess this is why Open ID and facebook connect will be so successful…not. ONce you give up your password for one site, the scammers get all your sites! OTOH, facebook can make a lot of bank selling the blue pill to the guys and gals.
Yeah, I got this one today. I used DNSStuff.com to trace the URL’s IP address to Latvia.
Latvia’s legit…
Once and again, spammers!! grgrg..
I saw it first on HayRumores.com (http://hayrumor...-a-fbactionnet/)
cya!
I so just want to give FB my credit card info RIGHT NOW?? This is what social networks need to overcome to capture payment streams!
Daniel
https://spideroak.com – Online Backup and Sync – Currently seeking affiliates $$$$
Is this worthy of a frontpage post? Anyone who falls for phishing deserves it.
Um, no…I did not deserve it…I live in a nice world and use my computer and facebook for catching up with friends who live far away. No for staling or evil. So when my good friend X sends me an email I didn’t think anything of it…I opened it.
You are just rude. Maybe you have no friends.
these messages are so generic and always the same i say anyone that falls for it is an idiot.
there might be more to it. a friend received one of these messages, didn’t log in to fbstarter, but her account was still hacked and all her friends spammed. so there could be a passwd-guessing bot involved too.
Thanks for letting us know.. Hope this won’t spread like a swine flu.
So what exactly does a hacker GAIN from doing this, other than annoying scads of other FBers?
Spam is big business, give anyone enough of an audience (10,000 user accounts * 200 friends on average lets say = 2,000,000 targets to spam). I’m sure you can figure out how to make money if you have 2 mil people to spam.
How I lost 30lbs. FAST!!!
The sad thing is there are always people dumb enough to click on these links and then login.
I feel dumb to this. My account had messages sent out. I just changed my password, but will this help?
I fell dumb to this. I’m usually really careful but slipped up okay. My account had messages sent out. I just changed my password, but will this help?
No, mental retardation is permanent.
I am delighted to be the beta tester for this. Thanks!
After I typed in my password (in a sleepy daze I tell you! Coffee did not kick in yet and I was all “oooh look I did not log into facebook zzzzz”) I got a page from facebook telling me that the page was not a legit page and to change my password (geee… thanks facebook. A window late and a dollar short)
I opened a new window and typed in facebook to be sure I was in the right place and changed my password.
Then I ran through my brain to think about where else I might use the same password and changed that as well and then swore to never use that old much beloved password again.
A search for the site (that I can now not mention or facebook will not send this message) on google brings up pages telling you that its a phishing scam and only idiots fall for it an deserve it. Thanks again!
Apparently the folks behind the scheme are proactively trying to shut down communication about it on Facebook itself.
When I tried to post a status update about it, an error message said that I couldn’t because “some content in this message has been reported as abusive by Facebook users”
Check out the screen-grab to see for yourself.
http://www.flic...ood/3489203748/
Evil, evil, stuff.
looks like it’s just FB’s shotgun approach to nipping this problem as soon as possible. just block anything containing certain strings: “fbstarter”, “look at this!”, whatever…
if so, it’s had the unfortunate side-effect of also silencing people who are trying to warn their friends….
OMG FREE MUMIA
I can’t even go to fbstarter.com or fbaction.net…. nothing comes up.
I had thought that facebook blocking the posting of the name of the site to the wall was part of the attack — I posted on someone’s wall that they were sending a message out, and that anyone who got it and logged in there should assume their password was captured. It wouldn’t let me post the message. Interesting that that was actually facebook preventing the spread of it.
just find out whoo is b hind of this and kill them.
also, kromked.net is another bad link that is part of the same thing
Yeppers, I just wrote the same post from my experience with the scam.
http://bit.ly/p...ishing-Facebook
THX,
JMacofearth
I wrote a little in depth report on this at insecureweb (complete with an archive of the actual imitation page as the original will probably be gone soon): http://insecure...e-fbstartercom/
The most interesting thing about these kind of attacks is that there’s really nothing Facebook or any other site can really do to stop them – there’s no flaw or mistake on Facebook’s part – it’s just social engineering at it’s best – users who see a familiar looking login, and try to use it.
This is mostly no different than the fake paypal and bank sites that sprouted up in the past only the scammers seem to have improved their spelling and grammer mistakes.
The only point of possible confusion is that with the Facebook Connect API – you really do see legit Facebook login and functionality everywhere on the web (I can login this very site with Facebook Connect) – which leads one to ask – what if someone created a fake Facebook Connect on their site – that connected to the real Facebook Connect – no one would be the wiser (except us web developers who could view the source.)
I also was scammed by this, and my inbox sent out a message to all my friends “check out best shop” or something like that with http://www.joonias.com …………….
phishing!
The information won’t become useless pretty quickly if the victims use that password for other accounts too.
What if the password was not my facebook password, but the one I use the most!!!
There is a new similar attack from a forgery site that hasn’t been blocked yet. It urges people to visit 222.im. That site is a FAKE. Don’t go there and don’t enter your facebook password on any site that doesn’t show facebook.com at the beginning of the URL in the Location box of your browser.
Somebody sent me a link on facebook to access 222.im, and so I opened firefox in sandboxed mode and tried it out.
Seems like a DNS redirection…
222.im first sent me to 282.im, which appears to be facebook. This is not facebook, so do not enter credentials.
The second time I tried to access 222.im, my router’s Capcha security features blocked access to the redirection (all the while I was running my browser sandboxed just in case).
The ip address of Facebook.com is 69.63.178.11 or 69.63.184.142, where as the website that looks like facebook (282.im) has an IP address of 213.182.197.235. 222.IM is hosted in Riga, Latvia. 222.im has an IP address of 213.182.197.235, and is also hosted in Riga.
DO NOT ENTER YOUR CREDENTIALS ON EITHER 282.IM or 222.IM!!
Just got one of these myself. Here’s what it said:
_____________sent you a message.
Subject: Hello
“Check 151.im”
The link it gave took me to a site that asked for my Facebook login info, which was a red flag, since the web address wasn’t a Facebook one. Now the link takes me to one of a number of sites, like these:
http://sabl.ru/
http://afoi.ru/
I don’t know where they go after that, but FYI – beware!
I just got the same:
Subject: Hello
“Check nutpic.at”
The link took to me where it asked me to sign in or register. When I tried to register, it took me to:
http://afoi.ru/ with an error message.
I was dumb enough to go back to nutpic.at. This time I put down my email and password. However, the password is not my facebook password, but the one I use the most with online retailers!!! The email address is however my primary email address, but it does not match the password that I use the most.
Am I making sense? If they got me, then they can get in my accounts in places like amazon, snapfish, etc.
My question is how vulnerable am I at this point?
What about the young kids using Facebook that don’t know any better.
Have had to block my nephew because he’s been infected.
Thanks for the useful information… really nice.
Phishing is really neglected part of online security…and netizens dont have enough knowledge to keep away from it.
This article will help a lot.
Looks like they are only targeting people from the UK. After all they are the only people that really have a chance of losing 30 pounds by following the link!