Today I received a link to a "crazy and funny vid" on my facebook account from a friend whom I would never expect to contact me.  With this red flag I followed the link and was taken to an exact replica of the facebook login screen which might have fooled me had I not realized that I was already logged into facebook.  Glancing up at the url the game was given away:  fanebook.com (with an "n") instead of facebook.com.  How clever.

I logged into my account using the actual facebook.com login screen and did a little investigating.  Turns out my friend had sent links to 30 other people, meaning his account had definitely been compromised and was being used to phish for other people's accounts.  Apparently they already had a few nibbles since he was hardly the only one sending out these links.

I quickly contacted all as many of the 30 who I was mutual friends with as I could to let them know about the attacks.  In writing the note I had to refrain from referencing "fanebook.com" already since the folks at faCebook.com have already started laying out countermeasures to the attacks.  The landing sites have a wide variety of urls that are either variations on the name facebook like "fanebook.com" and "falielbook.com" or have facebook.com followed with a long string of superdomains (not surprisingly ending in .cn).  The blog iAntiVirus has done a little snooping into the sources of these phishing sites and found that gambling, marijuana, and other scam sites are hosted at these dynamically changing locations.

Curious about how the attack worked, I created a fake gmail account and used that to log into the fake site.  As I suspected, I was simply redirected to facebook.com, but because I had logged out of that account I was presented with the following screen with official message from the facebook team: "Warning: Facebook detected a potential scam to steal your account! To prevent future problems, please reset your password."

I will be monitoring the fake facebook account over the next couple of days to see if it starts sending out links.  If you want to monitor it as well, The name on the account is Rutherford Covingin ton (rutherfordcovington@gmail.com).

This type of scam is nothing new.  Paypal has been battling email based login scams for years, and eventually adopted the policy of never asking customers to log into their accounts from a link on an email.  This attack, however, plays out much differently for a social networking site like facebook than it does for a service like Paypal.  For one, Facebook users are used to receiving many notifications by way of email and often have to log into their accounts to view them.  The fact that most users should have cookies enabled will most likely be lost on less internet-savvy people, but even more troublesome is the fact that many people access their Facebook accounts from computers other than their own.

Secondly, the most disturbing aspect of Facebook targeted phishing attacks is the nature of social networking. There is no need for scammers to scrape emails from websites and send out mass emailing scams to reach their marks - they can just sit back and watch the victims do the work for them with little fear of circumventing can-span black listings.  This happens much in the same way a communicable disease spreads across a population.

On top of all this, many people (myself included as much as I hate to admit it) use the same password for multiple accounts and services, which means these scammers could potentially gain access to a wide variety of accounts, including online banking, paypal, email accounts, and more.  It seems the age of innocence on Facebook has come to an abrupt and startling end.

It will be interesting to observe how Facebook responds to these attacks.  Email alerts are a vital component of the site and is no doubt one of the major driving factors for increasing repeat visits to the site.  If Facebook were forced to end all email notices it would be a major blow to the site.  A permanent message at the top of the login screen that alerts users to check the url in the address bar or perhaps even type it in manually may be a potential fix, as the scammers would need to duplicate that message in order to be perceived as authentic.

Whatever the fix, the folks over at Facebook had better do it quickly.  This attack is spreading far and with astonishing speed.  Who knows how many accounts have been compromised already?  The number could be staggering.

Update:

Just as I predicted, Rutherford Covington - the fake facebook profile I setup to test the phishing scam - wasted no time sending me the same "crazy and funny vid" link.  I was able to log into the account still which means the phishers aren't changing the passwords right away, at least not in this case.  They must have a script they run whenever a password gets phished because this happened so quickly.

Subscribe to Just a Nutter RSS Feed