A Naked Security reader (you know who you are - thanks!) just reported that a friend posted an unexpected message on her wall - and on the walls of numerous mutual friends. She recognised the message as a typical watch-this-video survey scam, and stayed well away from it.
The message says, "Hey, [name]!! What the heck are you doing in this video! LOL", and links directly to a Facebook application:
You might think that clicking the link just to have a peek might be harmless enough. After all, to get infected by a rogue application and to start spamming your friends, you still need to give that app permission to act on your behalf. As long as you stop short of that final step, you'll be OK just poking around, right?
Not necessarily.
In this case, the link - which looks legitimate enough because of the "facebook.com" domain - ends up taking you not to an application installer, but apparently directly to a video-hosting site. For a brief moment, you'll see a web page opening with the title "Videos here - Powered by CO.CC":
For once, perhaps you're going to get to see the promised video before you're asked to Like it, or to install an app, or to take a pesky survey!
But there are neither videos nor any links to videos on the offending web page. Instead, it uses a JavaScript trick to redirect you to yet another site, which pops up a fake Facebook login page:
Even if you're a Sophos user, and protected against visiting this sort of scam site by both Sophos Endpoint Security and Control, and by the Sophos Web Appliance, please don't tempt fate.
Do what our Naked Security reader did. She assumed the link didn't come from her friend, and got rid of it. How hard is that?
Remember: curiosity killed the cat.
(If you're a member of Facebook don't forget to join the Sophos Facebook page to stay up-to-date with the latest security news.)
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
Don't you think a little more detail about what happens if somebody does put in there credentials and where exactly is the server located of this fake website would help your readers??
Yes...and no. By publishing the exact URIs, I give precise coordinates for people to go and get dodgy content. Also, I run the risk of people watching specifically for _those_ URIs, which the Bad Guys can easily change.
Better IMO to give _generic_ advice on what to look for - an incorrect URI (in this case, a misspelling of "facebook") and no HTTPS in use.
Ok, I will attempt to explain a little in detail what happens when you click this. I am explaining because I am a publisher on CPALead (the network scammers use to make money on Facebook), and know 2 publishers from there who used this to make over $100,000 in a week.
Just for the record I am not a scammer, and no longer use CPALead because they allow publishers to abuse Facebook.
Once you put your username and password in the box it gets stored on the scammers server. The scammer can't directly login to your account because it will get roadblocked. If you login to an account on a different or new IP you're asked security questions. But, the scammers have a way around it.
They use mobile ebuddy (m.ebuddy.com) to log into Facebook and send all your friends chat messages. Instead of the login request coming from the scammers computer it's coming from eBuddy, which has a white listed IP address.
This is something Facebook cannot really control, but rather than Facebook trying to control it networks such as CPALead should be removing publishers using illegal money making methods. But, we all know they won't do that.
Ah, just logging into your account from a different IP doesn't trigger Facebook's warning (at least as far as one can tell, given that you can only "black box" cloud services to assess their behaviour, which is a security review issue all of its own).
Seems the new IP number needs to be in a completely different location from the previous one before Facebook gets worried. Otherwise the many users who are on dynamic IPs from their service providers would get tripped up with security questions day after day, and Facebook wouldn't like that.
Since the scammers who have your phished your username and password also get your current IP number when you post the credentials to their server, I stringly suspect that all they really need to log into your account directly is a proxy in the same geographical region.
(There's another gotcha, namely that they just stole your password, and many people use the same password for several accounts.)
Is the following page malicious as well ?
hxxp://www.facebook.com/pages/This-is-awkward-haha-its-still-awkward-/
Just checked that URI ( at 2010-12-31T08:54+11) and it's no longer available. (I also tried removing the final dash, just in case. Same thing: Facebook's "not found" error.)
Facebook also seems to have taken the application link mentioned in the article off the air, too.
That probably answers your question :-)
I know CO.CC. Their a company that offer free URLS. I use them myself