Another phishing attack …
or two or three targeting Facebook.
TechCrunch provides the details of the original attack on April 29.
If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction.net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends.
The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
Facebook blocked outgoing links to the domain while IE8 and others started flagging it as suspicious before GoDaddy pulled the plug on the domain.
However it appears there are a few variations out there now.
One is krmked.net, details can be found here.
Another is fbstarter.com, here are the details.
But now there seems to be a new one linking to http://fbstarter.com/. It comes in the form of a message from a friend telling you to “Look at this!” When you click on the link, you are taken to what appears to be a Facebook sign-in page. If you go ahead and sign in, the phishers have access to your account and can then send messages to all of your friends.
I just got one of these messages. It looks like this:
Joshua sent you a message.
Subject: Look at this!
And fbstarter is hyperlinked.
Facebook to its credit jumped quickly on this one as well according to TechCrunch:
We’ve already blocked http://www.fbstarter.com from being shared on Facebook. You’ve probably seen what this looks like but I’m including a screenshot. Now, we’re deleting that URL from walls and inboxes. We’ve also blocked access to the URL so if someone does find it on Facebook (on their wall, in their inbox, or in an email notification) it won’t send them to the destination. Finally, we’ll automatically reset the password on any account that sent the malicious link. Thus, the data becomes useless to the bad guys very quickly.
In addition, we work with MarkMonitor (they made an announcement today). We send them URLs and they get them added to the browser blacklists and work to get the sites taken down. I’ve included a screenshot of the warning from Firefox that resulted from their work on the phishing attack yesterday (fbaction.net). They got that site taken down, too. Today’s site (fbstarter.com) has been down most of the morning. MarkMonitor and Facebook are watching it closely, though.
The key to not falling victim is to not just click something without checking the path of the hyperlink as phishing ones will have additional information on the backend.
Of course if it seems to be something that a friend wouldn’t send – don’t open it without checking with them.