Facebook phishing: Can you spot the difference?

Filed Under: Data loss, Facebook, Phishing, Privacy, Social networks, Spam

We've seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.

Here's a typical message:

Facebook phishing message

hello have you seen this recent video on the president? What is he doing in it?! LOL


What's the president doing in this video. OMG LOL!

Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with ".co.cc" contain "bad stuff". Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.

And what sort of name is hzjqorbbmdnf anyway?

Regardless of the dodgy-looking nature of the link - what happens if you click on it?

Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it's a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they'll type in their credentials without thinking.

Here's the fake login page:

The fake Facebook login page

And here's Facebook's genuine login page:

The real Facebook login page

Did you spot all the differences?

Here's the ones I found - well done if you spotted even more!


Starting at the very top -

1. The genuine login page calls itself "Log in" in its title bar. Amusingly, the real Facebook is inconsistent as to whether you "Log in" or "Login" to Facebook as later in the page it refers to "Facebook Login". It's odd to see a phishing page be more professional than the real thing.

2. That's clearly not Facebook's genuine URL. Interestingly, other pages on the domain contain clickjacking scams.

3. The real page gives me more language options - including UK English and Welsh which aren't available on the phishing page. It's possible that the real Facebook is doing some GEO-IP lookups and determined that I'm visiting from the UK - maybe users in other countries don't see those options.

4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.

5. There are many more link options made available to me in the footer of the real login page, including "Badges", "Mobile", "People", etc.

There's bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.

If you're on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.

Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.

More differences

, ,

You might like

64 Responses to Facebook phishing: Can you spot the difference?

  1. Ken Domingo · 1584 days ago

    the "Set Facebook as my homepage" checkbox doesn't appear in the phishing site..

    • Well spotted! There are some other differences too. Leave a comment if you spot them.

      • CTA · 1584 days ago

        Email/email address, Forgot/forgotten password, and glaringly - the browser security settings indicate an unsecured site (unlocked padlock) on the phishing site.

    • sfox · 1584 days ago

      That was the first thing I noticed.

  2. the real login page uses https:// and you can see the bar next to the address bar which shows that it is a secure site. this usually appears in Firefox

    the phishing site, on the other hand, is unsecured

  3. Joel · 1584 days ago

    The fake one also says "Email" rather than "Email Address" the fake one also says "Forgot" rather than "Forgotten" your password. :)

  4. Phil · 1584 days ago

    I don't think Facebook is inconsistent in its use of Login/Log in. The noun form is Login, telling you this is the Login screen or area. The verb form is Log in, giving you a link, for instance, where you can Log in. It appears correct to me.

  5. Joakim Boström · 1584 days ago

    The phishing page sais: Forgot your password?, while the real sais: Forgotten your password?

  6. Super Spotter · 1584 days ago

    The fake one says 'Email' wheras the real one says 'Email Address'

    Also, the fake says 'Forgot your password?' and the real says 'Forgotten your password?'

    Minor Differences, but all the more obvious that the site is a fake.

  7. B.Y. · 1584 days ago

    In the genuine under the log in button it says "Forgotten your password?" and the fake says "Forgot your password?".

  8. the real login page uses https:// and you can see the bar next to the address bar which shows that it is a secure site. this usually appears in Firefox. the fake one, on the other hand, is unsecured..

    • Simon Topple · 1565 days ago

      Well, yes you are right in that the data is secure from eavsdropping, given it is going over https.

      However that does not rule out the server it runing on not being owned by nefarious individuals or compromised.

      I think the industry still has a long way to go to equate security to trust. Just seeing a https:// on a site does not mean it is secure, but getting this through to the average user is difficult.

  9. Heather · 1584 days ago

    The real page says "Forgotten your password?" while the phishing page just says "Forgot your password?". Thanks for the great info!

  10. ownedbyrats · 1584 days ago

    The fake page says 'Forgot your password?' but the real one uses 'Forgotten' instead.

  11. Asian Kid · 1584 days ago

    There are more differences. Notice on the genuine log in page, under "password" there will be two check boxes. One says "Keep me logged in" and the other says "Set Facebook as my home page". While the phishing site in shown has only one check box that is "Keep me logged in". If you go to the page itself and click the language links (for example, click Italiano) you will be directed to a warning page by the real Facebook.

    So, if any of you go to a Facebook log in page but you remember you were logged in 10 seconds ago and just clicked a link your friend posted, you should open a new tab/window and go to facebook. com/login.php and compare exactly. Or simply look at the URL, if it is not ____.facebook.com then it's just a scam

  12. The real Facebook page says "email address" and the phishing site just says "email"

  13. I can see some minor differences in spelling but I would have been alerted 1 by the link in the first place and 2 by the URL if i did reach the page. That and I'm guilty of saving my U/N and password in my browser so it should be auto populated.

    I know the dangers of this but I also don't believe on putting anything on-line that I wouldn't want the world to see.

  14. Bungalow Benchly · 1584 days ago

    Forgot your password? vs. Forgotten your password?
    Email vs Email address

    Also, regarding login vs log in. My understanding is that "login" is a noun (i.e., a login page) and that "log in" is a verb phrase (i.e., the page where you log in) and so, therefore, neither site is 100% correct. The real site should say "Login" in the title bar; and the last use of login on the phishing page should actually be "Log in or sign up for Facebook."

  15. Danny Mc · 1584 days ago

    "Forgotten your password?" on the real site; "Forgot your password?" on the phishing site

  16. John Hingston · 1584 days ago

    The email address labels are different: genuine says "Email address"; fake says "Email" only.

  17. t0t4lk40s · 1584 days ago

    Authentic one asks for "Email address" whereas the fake asks for "Email"

  18. Kevin · 1584 days ago

    It says "Email" and not "Email address."

  19. Trish · 1584 days ago

    The security lock on the real page is locked and has https in the URL, as compared to the fake one that is unlocked and has just http in the URL.

  20. Peter · 1584 days ago

    Forgot (Fake) vs Forgotten (Genuine) your password?

  21. Nigel De Wallens · 1584 days ago

    Another point is it is not https on the web address.

  22. Jawad Rashid · 1584 days ago

    On the real facebook page it says "forgotten your password?" and on the fake website it says "forgot your password?"

  23. Sarah G. · 1584 days ago

    The fake one just has email for log in while the real one has email address.

  24. Karen · 1584 days ago

    More differences:

    6. The real facebook log in page URL starts with https:// indicating is has a security certificate.

    (security certificates should always be checked also to see who the certificate was issued to)

    7. the real facebook page has the extra option of "set facebook as my homepage" just above the log in button.

    8. the real facebook page has "Forgotten your password?" under the log in button, the fake page says "Forgot your password?"

    9. the real facebook page uses a slightly different, more elegant and narrow, font for the "Facebook" title

    • abraxiathalgus · 1584 days ago

      All but number 7 and 9 were mentioned in the article, we were only asked to point out OTHER differences, not repeat what had been said.

  25. Fred Buth · 1584 days ago

    Email: vs Email Address:

  26. Zolika · 1584 days ago

    on the genuine page it says email address, and on the fake page says only email.

  27. Rachel · 1584 days ago

    It says "Forgot your password?" rather than "Forgotten your password?"

  28. Penny · 1584 days ago

    The security lock icon is a different colour and open rather than closed on the phishing site.

  29. David · 1584 days ago

    A very important one: The security certificate displays on the real one (the blue bar before the address that says "facebook.com"). The phishing one does not, obviously.

    This is like playing a tech version of "I Spy".

  30. Stefan · 1584 days ago

    on the fake page it says "forgot your password?" and on the real one it is "Forgotten your password?"

  31. mike · 1584 days ago

    Forgot your password? on scam..
    Forgotten your password? on genuine..
    Also Log in and Login apply for the button not just the title..

  32. Andy · 1584 days ago

    The REAL FB page asked for your email address, not just your email!

    Also, the difference between "forgotten" and "forgot"

  33. Jenn · 1584 days ago

    Email vs. Email address

  34. John · 1584 days ago

    look at the padlock in the top right hand corner, different colours...

  35. Eva · 1584 days ago

    Real facebook log in is https not http
    Real Log in had facebook.com highlighted in blue not just the f

  36. Meilyne · 1584 days ago

    Field label on email is different ("Email address" on facebook page and just "Email" on fake page).

  37. John Eiford · 1584 days ago

    fyi, "Log in" is the verb form, "Login" is the noun form. so you "Log in to Facebook with your Facebook login.". fwiw.

  38. ton · 1584 days ago

    I also believe when you actually have a fake page loaded up that not all the usual bits are able to be clicked on compared to a genuine page. I have noticed this on the fake login page before.

  39. T.D. · 1584 days ago

    Don't worry. LARGE class action lawsuit in development against Facebook right now.

  40. dclaar · 1584 days ago

    I was wondering if this was the way facebook looked in 2010? I tried to find the previous page, but couldn't. Maybe they're just a bit behind the times...

  41. jeff · 1584 days ago

    My only issue with this is the fact that it implies that there are no legitimate websites that use the .co.cc web domain. Sure, while many of them, at least posted to facebook, are not good, it's also a pretty popular choice of domain for people using free forum hosts like myself that allow domain changes, because it is a free domain. Which is a good option for those of us who love our websites and want a shorter URL, but can't realistically afford to pay for a domain.

  42. Son of Magni · 1584 days ago

    Of course cosmetic differences don't hurt you. The important thing is to hover your mouse over the Login button and look in the status bar to see where it points. If it's not a facebook url then you're sending your information to someone else...

  43. Pascal · 1584 days ago

    I think that it is misleading to make people believe that the differences are in the text, the layout or the links of the page. A better phishing page could look exactly like the Facebook one.

    IMHO, the only thing that people need to learn is how to read the URL and make sure that the certificate for the HTTPS connection has been created by Facebook. Modern browsers can clearly show this now.

  44. Lety F · 1584 days ago

    Oh, this is a good lesson for the "phishermen" - they will correct the mistakes!
    Can they?

    • Teresa Stokes · 1584 days ago

      I was about to say exactly the same thing! The phishers will study this and resolve to do better next time!

  45. Keith · 1584 days ago

    The question I have in all of this is why would I have to log BACK in to Facebook to see a video in the first place?

  46. abraxiathalgus · 1584 days ago

    Why are people repeatedly pointing out what has been written in the article? More proof perhaps that people don't read?

    I've only seen one difference that was covered in the actual article (I read the whole thing) and that was the 'set facebook as your homepage' link, which has already been poined out by others.

  47. wheelyjon · 1584 days ago

    Set facebook as home page missing on phishing site

  48. Scott M. · 1583 days ago

    I'll list the differences I found. It's a decent attempt but definitely not one of the better phishing examples I've seen. Here is my list:

    Obvious style differences all over the document.
    Header is different shade, all borders are different shade.
    Sign On button is a different shade and different font.
    Font sizes are slightly different which results in a different document flow.
    Set Facebook as My homepage option missing from counterfeit.
    Background color of div with Sign On button is different shade.
    Message after Sign On button that starts "Facebook helps you connect..." has different font color.

    Also wanted to point out that the https is an option and not on by default (last I checked) so that's not really a good indication. Most people who are savy enough to turn it on are savy enough not to click on a dodgy link - at least in my experience.

  49. Ted · 1583 days ago

    So we're now giving fishermen the tip of always copying the very latest target page source literally? Hmmm.

    Surely the URL and the padlock are the key points to look for?

    But if people want to give away their DNS resolution to asome proxy in the hope of watching free movies or football on the net, then they are beyond help. Don't point your DNS setting at some server you don't absolutely trust. Really.

  50. I wouldn't be surprised that if you looked at a facebook login page from 2010 they would match ... they just haven't updated their phishing scam page lately.

  51. Jeremie · 1571 days ago

    the problem are not co.cc or cz.cc, who are both 100% legit, the problem is with the people who abuse those domains to spread malware or scam. Just because a bit.ly link points to a virus, you would not block all bit.ly links would you?

    co.cc and cz.cc are free third level domain providers. They are easily abused because they are free, but they do serve millions of people who can create websites on free domains.

  52. Mahyar · 1510 days ago

    Top Right corner no Lock... Padlock... also the actual log in button itself...

  53. There are many circulating spam message like this on Facebook and it's very annoying. Good thing FB act what they need to do to stop this spam that leads to a phishing site.

  54. @hackerkepzes · 1143 days ago

    The easiest way to avoid your account getting hijacked is to always check the url before logging in. That's the most important.

  55. Petar · 1138 days ago

    There is also "set facebook as my homepage" on the real site.

  56. whththckr · 634 days ago

    The fact that there is any difference at all is complete amateurishness. If I set up a phishing page it would be EXACTLY the same. There would be no way to tell at all except maybe the url, even that can be spoofed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley