Facebook Applications Used For Phishing

It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone
Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile.

After entering the credentials, users would then be redirected to Facebook itself.

While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.

Rogue Applications have been identified as a part of this scam:

A rogue Facebook application appears to be sending notifications that lead users to a credential harvesting site.

Prospective marks receive a Facebook notification that a user has commented on one of their posts, as above. The notifications appear to come from an application called “sex sex sex and more sex!!!” which despite sounding shady and looking a bit of a mess still boasts over 287000 fans.

The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain (note that the user name itself does not link back to a profile). The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refresh tags to pull up the real Facebook website and prompting the victim for their login credentials.

Always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use.

The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.

Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons,  have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.