Joined: 09 December 2003
May 22, 2009 | 03:58 PMBy Tim Wilson
Social networking site Facebook, which has been the target of several phishing and malware attacks during the past few months, is under the gun again.
Researchers at email and Web security service provider AppRiver on Thursday spotted a phishing exploit on Facebook that is spreading across the community. The phish enables hackers to steal logon and password data, as well as change end users' account information, effectively locking them out of their own accounts.
Security researchers at Cloudmark also have spotted the phishing attack.
The simple attack begins with an email message bearing the subject line "Hello," according to Fred Touchette, senior security analyst at AppRiver. The body of the message reads, "Check areps.at" The message then offers a Facebook link to reply to the message.
When users click on the link, they are brought to a fraudulent Facebook page that requests their account information and then routes them to their own Facebook page as it captures the login data, Touchette says. In some cases, the attackers use the login data to immediately change the users' passwords, effectively locking them out of their accounts.
In addition to areps.at, AppRiver has spotted the same attack coming from several other sources, including bests.at, brunga.at, kirgo.at, nutpick.at, and fcoder.at. These sources bypass some spam filters because they are not structured as full URLs, AppRiver researchers say.
The phishing attack is surprisingly simple and not particularly well-concealed, Touchette observes. For example, it doesn't require CAPTCHA authentication -- which Facebook usually does -- and the destination URL of the fraudulent login page does not contain the word "Facebook" -- which the real logon page does, he notes.
"We're not sure what the [phishers] were thinking, using such a simple attack and then locking users out of their accounts," Touchette says. "Usually, in more sophisticated [exploits] the attacker would quietly maintain access to the account for as long as possible, rather than tipping off the victim."
Both AppRiver and Cloudmark researchers say they expect to see more such attacks on Facebook because of its popularity and the site's viral nature of communications, which makes it easy for attacks to spread.
"Phishing and spam will continue to increase on social networks as users migrate large portions of their Internet activity, such as email, to these properties," says Adam O'Donnell, Cloudmark's director of emerging technologies. "Finding a cost-effective mechanism for remediating phished accounts is now a priority for Facebook and other social network sites. They need to figure out how to reset these people's passwords and contact them without priming their user population for an email-based phishing attack."
A very simplistic Facebook phishing attack is spreading through the popular social network, says AppRiver senior security analyst Fred Touchette.
It arrives as a Facebook message titled "Hello," and has been asking recipients to "Check areps.at" or "Check bests.at" At least two USA TODAY reporters received these bogus messages this morning.
If you click on the hyperlink it will take you to a fake Facebook login page, where you will be prompted to type your username and password. If you're gullible enough to click to the fake page and type in your credentials, your password will be changed, and you'll be locked out of your account, says Touchette. The bad guys will then use your account to replicate the attack to everyone on your friends list, he says.
Since Facebook requires anyone who sends a message containing a hyperlink to first solve a captcha puzzle, these bad guys evidently are retaining captcha solvers to get their attack moving. This elementary phishing attack underscores two points: it remains cheap and easy for crooks to use botnets to automate phishing attacks; and there's profit in getting even a tiny percentage of recipients to fall for even the crudest of ruses.
"I'm willing to bet these people are jumping on the bandwagon and trying to take advantage of all the Facebook activity," says Touchette. "It's very curious that they lock out the user, which throws up a red flag. They certainly don't have to do that."
Word just arrived from AppRiver that the bad guys, in an effort to stay one step ahead of spam filters, have begun directing message recipients to fake login pages at these links: brunga.at, kirgo.at, nutpic.at, and fcoder.at.
Joined: 11 January 2008
Joined: 27 January 2007
Joined: 23 January 2009
Joined: 29 August 2005
Joined: 05 March 2007
Joined: 08 October 2007
Joined: 07 October 2008
|Topics||Topic Starter||Replies||Views||Last Post|
|Like A Post ? Share with Facebook Friends||vijay||33||13231||11 September 2008 at 11:08pm
|Alert: Hacking attempt on India-Forums||vijay||61||5291||30 July 2008 at 9:07am
|ALERT:Mysterious Entry Into India Forums!||Diva||85||6125||13 March 2006 at 11:19pm