New Facebook phish: in-depth

When it comes to social networking threats, when it rains, it pours. Sophos’s David Schwartzberg alerted me to a new Facebook attack this evening that could lure in even the most sophisticated of computer users.
Facebook chat window
It started out with David getting a random chat from a Facebook friend. Since David works for Sophos, his Spidey sense was tingling.

He suspected something was up based on the begging, pleading, and misspelling. He sent a quick note to me asking SophosLabs to investigate.

Using SophosLabs tools, I was able to determine that the site in question does not contain malware. Good start. So what is the story with vote-me.XX ?

It’s a phish, of course. If you visit the website in the link, you get a great replica Facebook login page.

Facebook phish page

As you can see, the phish page has a Facebook copyright of 2008 instead of 2010, as well as having the ISP’s banner attached to the bottom. It’s very subtle and took a while for me to notice.

Users who succumbed to the attack entered their credentials into the false login page. They were then redirected to a real Facebook login page that prompted them again for login details. Users immediately suspected that they may have typo’d their password and tried again. On the second attempt, they successfully logged in to Facebook.

On further exploration, I discovered a file on the server hosting the attack that contained all of the usernames and passwords acquired by the attackers.

Phished credentials file

I was able to determine from the log that the Facebook friend who had chatted with my colleague had logged into this page about 7 hours prior. This is an excellent example of how phishers are able to spread the threat through controlling your online identity and spending your friendship capital. People are far more likely to trust a link from a friend than a stranger.

I have notified Facebook of the attack, and hope they take action to prevent further exploit. If you look at the password file snippet I included you will note that one of the victims’ passwords is “123456”. As I have noted many times previously, you must choose a secure password, and be sure to have a unique password for every site.

Advise those you know to never click links in email, chat, Twitter, and other services. Think before you click.