You might like

7 Responses to Beware the Facebook "awkwardhaha" scam

  1. Don't you think a little more detail about what happens if somebody does put in there credentials and where exactly is the server located of this fake website would help your readers??

    • Paul Ducklin · 1702 days ago

      Yes...and no. By publishing the exact URIs, I give precise coordinates for people to go and get dodgy content. Also, I run the risk of people watching specifically for _those_ URIs, which the Bad Guys can easily change.

      Better IMO to give _generic_ advice on what to look for - an incorrect URI (in this case, a misspelling of "facebook") and no HTTPS in use.

  2. Chris M · 1702 days ago

    Ok, I will attempt to explain a little in detail what happens when you click this. I am explaining because I am a publisher on CPALead (the network scammers use to make money on Facebook), and know 2 publishers from there who used this to make over $100,000 in a week.

    Just for the record I am not a scammer, and no longer use CPALead because they allow publishers to abuse Facebook.

    Once you put your username and password in the box it gets stored on the scammers server. The scammer can't directly login to your account because it will get roadblocked. If you login to an account on a different or new IP you're asked security questions. But, the scammers have a way around it.

    They use mobile ebuddy ( to log into Facebook and send all your friends chat messages. Instead of the login request coming from the scammers computer it's coming from eBuddy, which has a white listed IP address.

    This is something Facebook cannot really control, but rather than Facebook trying to control it networks such as CPALead should be removing publishers using illegal money making methods. But, we all know they won't do that.

    • Paul Ducklin · 1702 days ago

      Ah, just logging into your account from a different IP doesn't trigger Facebook's warning (at least as far as one can tell, given that you can only "black box" cloud services to assess their behaviour, which is a security review issue all of its own).

      Seems the new IP number needs to be in a completely different location from the previous one before Facebook gets worried. Otherwise the many users who are on dynamic IPs from their service providers would get tripped up with security questions day after day, and Facebook wouldn't like that.

      Since the scammers who have your phished your username and password also get your current IP number when you post the credentials to their server, I stringly suspect that all they really need to log into your account directly is a proxy in the same geographical region.

      (There's another gotcha, namely that they just stole your password, and many people use the same password for several accounts.)

  3. Is the following page malicious as well ?

    • Paul Ducklin · 1702 days ago

      Just checked that URI ( at 2010-12-31T08:54+11) and it's no longer available. (I also tried removing the final dash, just in case. Same thing: Facebook's "not found" error.)

      Facebook also seems to have taken the application link mentioned in the article off the air, too.

      That probably answers your question :-)

  4. bbbbwebproductions · 1698 days ago

    I know CO.CC. Their a company that offer free URLS. I use them myself

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog