Another phishing attack …


or two or three targeting Facebook.

TechCrunch provides the details of the original attack on April 29.

If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction.net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends.

The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):

YOURFRIEND sent you a message.

Subject: Hello

“Visit http://www.facebook.com/l/4253f;http://fbaction.net/”.

Facebook blocked outgoing links to the domain while IE8 and others started flagging it as suspicious before GoDaddy pulled the plug on the domain.

However it appears there are a few variations out there now.

One is krmked.net, details can be found here.

Another is fbstarter.com, here are the details.

But now there seems to be a new one linking to http://fbstarter.com/. It comes in the form of a message from a friend telling you to “Look at this!” When you click on the link, you are taken to what appears to be a Facebook sign-in page. If you go ahead and sign in, the phishers have access to your account and can then send messages to all of your friends.

I just got one of these messages. It looks like this:

Joshua sent you a message.

Subject: Look at this!

“fbstarter.com”

And fbstarter is hyperlinked.

Facebook to its credit jumped quickly on this one as well according to TechCrunch:

We’ve already blocked http://www.fbstarter.com from being shared on Facebook. You’ve probably seen what this looks like but I’m including a screenshot. Now, we’re deleting that URL from walls and inboxes. We’ve also blocked access to the URL so if someone does find it on Facebook (on their wall, in their inbox, or in an email notification) it won’t send them to the destination. Finally, we’ll automatically reset the password on any account that sent the malicious link. Thus, the data becomes useless to the bad guys very quickly.

In addition, we work with MarkMonitor (they made an announcement today). We send them URLs and they get them added to the browser blacklists and work to get the sites taken down. I’ve included a screenshot of the warning from Firefox that resulted from their work on the phishing attack yesterday (fbaction.net). They got that site taken down, too. Today’s site (fbstarter.com) has been down most of the morning. MarkMonitor and Facebook are watching it closely, though.

The key to not falling victim is to not just click something without checking the path of the hyperlink as phishing ones will have additional information on the backend.

Of course if it seems to be something that a friend wouldn’t send – don’t open it without checking with them.

Advertisements

About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on May 1, 2009, in Facebook, Phishing, Security. Bookmark the permalink. Comments Off on Another phishing attack ….

Comments are closed.

%d bloggers like this: