I recently noticed an interesting trend with Facebook. There seems to be an increase in spam and in particular a new type of phishing attempt has emerged that I have been seeing signs of on many different profiles. While phishing via Facebook is nothing new, this one is a bit different as the victim is not taken to a website that "looks" like a Facebook login page. This phish uses painfully annoying questions and pop-up's to get you to divulge your account information.
Do not go to any of the URL's mentioned in this article! You have been warned!
Do not go to any of the URL's mentioned in this article! You have been warned!
How does the phish work?
You will get an email or notice a wall post from one of your friends in Facebook. Note that your friend that has posted to your wall has had their account compromised or they have really fallen for the scam and have sent links out manually...more on that in a minute.
You will get an email or notice a wall post from one of your friends in Facebook. Note that your friend that has posted to your wall has had their account compromised or they have really fallen for the scam and have sent links out manually...more on that in a minute.
Initial contact via email notification or wall post (below).
Notice the really bad wording of the following:
"hey has anyone messaged you to let you know your face book pictre is all over ****.com?"
Notice the bad grammar and misspelling? This should be your first clue that this is a phish and you should not check out this domain no matter how curious you are! The bad news is most people will check it out....
Next, a pop-up will appear showing a link to hxxp://rotating -destination.com.
More "enticing" wording for you to click the OK button.
Clicking on this pop-up asks you to enter in the name of your friend, your name and your email.
Next, it takes you to this pop-up asking for your password for "registration".
After entering in your password it asks you how you found the site.
Interestingly, if you click on MySpace or Facebook it says it cannot retrieve your image.
After clicking on a link (they all seem lead to the same place) you will get to a page that tells you that they can't serve content to Facebook/MySpace.
Clicking the back button you will get another pop-up and after that you have to participate in an online "quiz". It's in a frame and really looks more like the ads you see online (click on the monkey, etc). This is the part that will generate ad revenue for phisher.
After the quiz you get to a screen which says that you have an image waiting for you and gives you a link to click.
Clicking on the link takes you to a site with a picture of a monkey and plays the sound of someone laughing...nice.
Finally, there is a link to a page of the bottom of this picture that takes you to a page telling you how to send this "harmless prank" to your friends....
Not sure if I have seen a phisher actually ask you for help! Makes things even easier for the phish creator. They even tell you to use "regular" email as you don't want Facebook to block you for being a "spammer"...
What's the end result?
The victim who goes to this website and enters in all the information requested will get their Facebook and/or MySpace profile hijacked (probably with an automated login script) and most likely their email compromised as well. Unfortunately, most people use the same password for both social media sites and email so this is a rather serious problem. If you or anyone you know fell victim to this phish, I advise changing your social media and email passwords immediately.
Special thanks to Greg and Tyler for helping out with the detailed analysis of this phish. Greg and Tyler do a ton of great malware analysis and they did some research to help determine if this phish was malware related. While there was no malicious downloads detected in this specific instance, Greg mentions the following additional information about this phish:
The victim who goes to this website and enters in all the information requested will get their Facebook and/or MySpace profile hijacked (probably with an automated login script) and most likely their email compromised as well. Unfortunately, most people use the same password for both social media sites and email so this is a rather serious problem. If you or anyone you know fell victim to this phish, I advise changing your social media and email passwords immediately.
Special thanks to Greg and Tyler for helping out with the detailed analysis of this phish. Greg and Tyler do a ton of great malware analysis and they did some research to help determine if this phish was malware related. While there was no malicious downloads detected in this specific instance, Greg mentions the following additional information about this phish:
- The IP of the first domain is associated with 16 malware domains have been related to malware in the past (some serving Zlob trojans and one related to bogus blogs) so don't be surprised if this scam gets more agressive in the future.
- The IP is hosted with Oversee.net which is associated with about 90 instances of malware and rouge software.
- There is code in the HTML where a graphic would be served up with 1 pixel x 1 pixel (essentially hidden) but that code is commented out. So at some point that graphic might have had some exploit code or perhaps used to log your IP.
Here are a few things to remember so you don't become a victim of these and other types of scams:
- Use a different, complex password for each of your accounts. That way if one password gets compromised all your other accounts don't get compromised as well.
- Even if your friends want you to click on links, be cautious! You never know if their profiles or email accounts have been hacked!
- Look for bad grammar and misspelled words as your first clue to a phish.
- Check out the Facebook Privacy & Security Guide which gives you some good tips to follow when using social media websites.
Posts
0 comments:
Post a Comment