FBStarter Facebook Phishing Scam
Monday, May 18, 2009
Threat Type: Phishing Alert
Websense® Security Labs™ has been receiving new Facebook phishing scam messages in our HoneyJax™ systems, the part of our ThreatSeeker™ Network used to monitor social networking attacks. The phishing lure, referred to as “fbstarter”, arrives as a message in a user’s Facebook inbox. For users who have configured forwarding in their Facebook settings, the message also appears in their email inbox.
If users click the link, they are redirected to a Facebook phishing page that spoofs Facebook's sign-in page. By entering their user name and password, they give attackers the information necessary to log into their account and spam their friends.
Lesson learned: Always be suspicious of messages that contain links. This pertains not only to emails, but to any messages that you receive on the Internet. Treat these messages with caution, even if they come from friends’ addresses. Social networking has opened the gates for attackers to take advantage of the transitive trust that exists in social networking platforms like Facebook.
To the credit of the Facebook security team, they have been quick to issue a statement and block further messages that attempt to spread any known offending URL. Attempting to send a message in Facebook that contains the known URLs results in the following error message.
Figure 2: Facebook now blocks any attempt to send the offending URL
As Facebook attempts to block the URLs used in this scam, attackers have been creating new domains that are not blocked by Facebook. It is uncertain whether the cat-and-mouse game will continue, but Websense Security Labs is monitoring the situation.
Websense® Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ has been receiving new Facebook phishing scam messages in our HoneyJax™ systems, the part of our ThreatSeeker™ Network used to monitor social networking attacks. The phishing lure, referred to as “fbstarter”, arrives as a message in a user’s Facebook inbox. For users who have configured forwarding in their Facebook settings, the message also appears in their email inbox.
If users click the link, they are redirected to a Facebook phishing page that spoofs Facebook's sign-in page. By entering their user name and password, they give attackers the information necessary to log into their account and spam their friends.
Lesson learned: Always be suspicious of messages that contain links. This pertains not only to emails, but to any messages that you receive on the Internet. Treat these messages with caution, even if they come from friends’ addresses. Social networking has opened the gates for attackers to take advantage of the transitive trust that exists in social networking platforms like Facebook.
To the credit of the Facebook security team, they have been quick to issue a statement and block further messages that attempt to spread any known offending URL. Attempting to send a message in Facebook that contains the known URLs results in the following error message.
Figure 2: Facebook now blocks any attempt to send the offending URL
As Facebook attempts to block the URLs used in this scam, attackers have been creating new domains that are not blocked by Facebook. It is uncertain whether the cat-and-mouse game will continue, but Websense Security Labs is monitoring the situation.
Websense® Messaging and Websense Web Security customers are protected against this attack.
