Sophos Cloud Optix
We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.
Here’s a typical message:
hello have you seen this recent video on the president? What is he doing in it?! LOL
or
What's the president doing in this video. OMG LOL!
Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.
And what sort of name is hzjqorbbmdnf anyway?
Regardless of the dodgy-looking nature of the link – what happens if you click on it?
Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.
Here’s the fake login page:
And here’s Facebook’s genuine login page:
Did you spot all the differences?
Here’s the ones I found – well done if you spotted even more!
Starting at the very top –
1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.
2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.
3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.
4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.
5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.
There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.
If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 180,000 people.
Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.
the "Set Facebook as my homepage" checkbox doesn't appear in the phishing site..
Well spotted! There are some other differences too. Leave a comment if you spot them.
Email/email address, Forgot/forgotten password, and glaringly – the browser security settings indicate an unsecured site (unlocked padlock) on the phishing site.
That was the first thing I noticed.
the real login page uses https:// and you can see the bar next to the address bar which shows that it is a secure site. this usually appears in Firefox
the phishing site, on the other hand, is unsecured
The fake one also says "Email" rather than "Email Address" the fake one also says "Forgot" rather than "Forgotten" your password. 🙂
I don't think Facebook is inconsistent in its use of Login/Log in. The noun form is Login, telling you this is the Login screen or area. The verb form is Log in, giving you a link, for instance, where you can Log in. It appears correct to me.
The phishing page sais: Forgot your password?, while the real sais: Forgotten your password?
The fake one says ‘Email’ wheras the real one says ‘Email Address’
Also, the fake says ‘Forgot your password?’ and the real says ‘Forgotten your password?’
Minor Differences, but all the more obvious that the site is a fake.
In the genuine under the log in button it says "Forgotten your password?" and the fake says "Forgot your password?".
the real login page uses https:// and you can see the bar next to the address bar which shows that it is a secure site. this usually appears in Firefox. the fake one, on the other hand, is unsecured..
Well, yes you are right in that the data is secure from eavsdropping, given it is going over https.
However that does not rule out the server it runing on not being owned by nefarious individuals or compromised.
I think the industry still has a long way to go to equate security to trust. Just seeing a https:// on a site does not mean it is secure, but getting this through to the average user is difficult.
The real page says "Forgotten your password?" while the phishing page just says "Forgot your password?". Thanks for the great info!
The fake page says 'Forgot your password?' but the real one uses 'Forgotten' instead.
There are more differences. Notice on the genuine log in page, under "password" there will be two check boxes. One says "Keep me logged in" and the other says "Set Facebook as my home page". While the phishing site in shown has only one check box that is "Keep me logged in". If you go to the page itself and click the language links (for example, click Italiano) you will be directed to a warning page by the real Facebook.
So, if any of you go to a Facebook log in page but you remember you were logged in 10 seconds ago and just clicked a link your friend posted, you should open a new tab/window and go to facebook. com/login.php and compare exactly. Or simply look at the URL, if it is not ____.facebook.com then it's just a scam
The real Facebook page says "email address" and the phishing site just says "email"
I can see some minor differences in spelling but I would have been alerted 1 by the link in the first place and 2 by the URL if i did reach the page. That and I'm guilty of saving my U/N and password in my browser so it should be auto populated.
I know the dangers of this but I also don't believe on putting anything on-line that I wouldn't want the world to see.
Forgot your password? vs. Forgotten your password?
Email vs Email address
Also, regarding login vs log in. My understanding is that "login" is a noun (i.e., a login page) and that "log in" is a verb phrase (i.e., the page where you log in) and so, therefore, neither site is 100% correct. The real site should say "Login" in the title bar; and the last use of login on the phishing page should actually be "Log in or sign up for Facebook."
"Forgotten your password?" on the real site; "Forgot your password?" on the phishing site
The email address labels are different: genuine says "Email address"; fake says "Email" only.
Authentic one asks for "Email address" whereas the fake asks for "Email"
It says "Email" and not "Email address."
The security lock on the real page is locked and has https in the URL, as compared to the fake one that is unlocked and has just http in the URL.
Forgot (Fake) vs Forgotten (Genuine) your password?
Another point is it is not https on the web address.
On the real facebook page it says "forgotten your password?" and on the fake website it says "forgot your password?"
The fake one just has email for log in while the real one has email address.
More differences:
6. The real facebook log in page URL starts with https:// indicating is has a security certificate.
(security certificates should always be checked also to see who the certificate was issued to)
7. the real facebook page has the extra option of "set facebook as my homepage" just above the log in button.
8. the real facebook page has "Forgotten your password?" under the log in button, the fake page says "Forgot your password?"
9. the real facebook page uses a slightly different, more elegant and narrow, font for the "Facebook" title
All but number 7 and 9 were mentioned in the article, we were only asked to point out OTHER differences, not repeat what had been said.
Email: vs Email Address:
on the genuine page it says email address, and on the fake page says only email.
It says "Forgot your password?" rather than "Forgotten your password?"
The security lock icon is a different colour and open rather than closed on the phishing site.
That's actually my browser rather than the phishing site – but thanks for playing the game! 🙂
A very important one: The security certificate displays on the real one (the blue bar before the address that says "facebook.com"). The phishing one does not, obviously.
This is like playing a tech version of "I Spy".
on the fake page it says "forgot your password?" and on the real one it is "Forgotten your password?"
Forgot your password? on scam..
Forgotten your password? on genuine..
Also Log in and Login apply for the button not just the title..
The REAL FB page asked for your email address, not just your email!
Also, the difference between "forgotten" and "forgot"
Email vs. Email address
look at the padlock in the top right hand corner, different colours…
That's actually a browser add-on that I had installed. Not relevant to the actual phishing attack.
Real facebook log in is https not http
Real Log in had facebook.com highlighted in blue not just the f
Field label on email is different ("Email address" on facebook page and just "Email" on fake page).
fyi, “Log in” is the verb form, “Login” is the noun form. so you “Log in to Facebook with your Facebook login.”. fwiw.
I also believe when you actually have a fake page loaded up that not all the usual bits are able to be clicked on compared to a genuine page. I have noticed this on the fake login page before.
Don't worry. LARGE class action lawsuit in development against Facebook right now.
I was wondering if this was the way facebook looked in 2010? I tried to find the previous page, but couldn't. Maybe they're just a bit behind the times…
My only issue with this is the fact that it implies that there are no legitimate websites that use the .co.cc web domain. Sure, while many of them, at least posted to facebook, are not good, it's also a pretty popular choice of domain for people using free forum hosts like myself that allow domain changes, because it is a free domain. Which is a good option for those of us who love our websites and want a shorter URL, but can't realistically afford to pay for a domain.
Of course cosmetic differences don’t hurt you. The important thing is to hover your mouse over the Login button and look in the status bar to see where it points. If it’s not a facebook url then you’re sending your information to someone else…
I think that it is misleading to make people believe that the differences are in the text, the layout or the links of the page. A better phishing page could look exactly like the Facebook one.
IMHO, the only thing that people need to learn is how to read the URL and make sure that the certificate for the HTTPS connection has been created by Facebook. Modern browsers can clearly show this now.
Oh, this is a good lesson for the “phishermen” – they will correct the mistakes!
Can they?
I was about to say exactly the same thing! The phishers will study this and resolve to do better next time!
The question I have in all of this is why would I have to log BACK in to Facebook to see a video in the first place?
Why are people repeatedly pointing out what has been written in the article? More proof perhaps that people don’t read?
I’ve only seen one difference that was covered in the actual article (I read the whole thing) and that was the ‘set facebook as your homepage’ link, which has already been poined out by others.
Set facebook as home page missing on phishing site
I'll list the differences I found. It's a decent attempt but definitely not one of the better phishing examples I've seen. Here is my list:
Obvious style differences all over the document.
Header is different shade, all borders are different shade.
Sign On button is a different shade and different font.
Font sizes are slightly different which results in a different document flow.
Set Facebook as My homepage option missing from counterfeit.
Background color of div with Sign On button is different shade.
Message after Sign On button that starts "Facebook helps you connect…" has different font color.
Also wanted to point out that the https is an option and not on by default (last I checked) so that's not really a good indication. Most people who are savy enough to turn it on are savy enough not to click on a dodgy link – at least in my experience.
So we’re now giving fishermen the tip of always copying the very latest target page source literally? Hmmm.
Surely the URL and the padlock are the key points to look for?
But if people want to give away their DNS resolution to asome proxy in the hope of watching free movies or football on the net, then they are beyond help. Don’t point your DNS setting at some server you don’t absolutely trust. Really.
I wouldn't be surprised that if you looked at a facebook login page from 2010 they would match … they just haven't updated their phishing scam page lately.
the problem are not co.cc or cz.cc, who are both 100% legit, the problem is with the people who abuse those domains to spread malware or scam. Just because a bit.ly link points to a virus, you would not block all bit.ly links would you?
co.cc and cz.cc are free third level domain providers. They are easily abused because they are free, but they do serve millions of people who can create websites on free domains.
Top Right corner no Lock… Padlock… also the actual log in button itself…
There are many circulating spam message like this on Facebook and it's very annoying. Good thing FB act what they need to do to stop this spam that leads to a phishing site.
The easiest way to avoid your account getting hijacked is to always check the url before logging in. That's the most important.
There is also "set facebook as my homepage" on the real site.
The fact that there is any difference at all is complete amateurishness. If I set up a phishing page it would be EXACTLY the same. There would be no way to tell at all except maybe the url, even that can be spoofed.