FBStarter Facebook Phishing Scam
Monday, May 18, 2009
Threat Type: Phishing Alert
Websense® Security Labs™ has been receiving new Facebook phishing scam messages in our HoneyJax™ systems, the part of our ThreatSeeker™ Network used to monitor social networking attacks. The phishing lure, referred to as “fbstarter”, arrives as a message in a user’s Facebook inbox. For users who have configured forwarding in their Facebook settings, the message also appears in their email inbox.
If users click the link, they are redirected to a Facebook phishing page that spoofs Facebook's sign-in page. By entering their user name and password, they give attackers the information necessary to log into their account and spam their friends.
Lesson learned: Always be suspicious of messages that contain links. This pertains not only to emails, but to any messages that you receive on the Internet. Treat these messages with caution, even if they come from friends’ addresses. Social networking has opened the gates for attackers to take advantage of the transitive trust that exists in social networking platforms like Facebook.
To the credit of the Facebook security team, they have been quick to issue a statement and block further messages that attempt to spread any known offending URL. Attempting to send a message in Facebook that contains the known URLs results in the following error message.
Figure 2: Facebook now blocks any attempt to send the offending URL
As Facebook attempts to block the URLs used in this scam, attackers have been creating new domains that are not blocked by Facebook. It is uncertain whether the cat-and-mouse game will continue, but Websense Security Labs is monitoring the situation.
Websense® Messaging and Websense Web Security customers are protected against this attack.
Websense® Security Labs™ has been receiving new Facebook phishing scam messages in our HoneyJax™ systems, the part of our ThreatSeeker™ Network used to monitor social networking attacks. The phishing lure, referred to as “fbstarter”, arrives as a message in a user’s Facebook inbox. For users who have configured forwarding in their Facebook settings, the message also appears in their email inbox.
If users click the link, they are redirected to a Facebook phishing page that spoofs Facebook's sign-in page. By entering their user name and password, they give attackers the information necessary to log into their account and spam their friends.
Lesson learned: Always be suspicious of messages that contain links. This pertains not only to emails, but to any messages that you receive on the Internet. Treat these messages with caution, even if they come from friends’ addresses. Social networking has opened the gates for attackers to take advantage of the transitive trust that exists in social networking platforms like Facebook.
To the credit of the Facebook security team, they have been quick to issue a statement and block further messages that attempt to spread any known offending URL. Attempting to send a message in Facebook that contains the known URLs results in the following error message.
Figure 2: Facebook now blocks any attempt to send the offending URL
As Facebook attempts to block the URLs used in this scam, attackers have been creating new domains that are not blocked by Facebook. It is uncertain whether the cat-and-mouse game will continue, but Websense Security Labs is monitoring the situation.
Websense® Messaging and Websense Web Security customers are protected against this attack.
Swine Flu Topic used in SEO to spread Malware
Threat Type: Malicious Web Site / Malicious Code
As swine flu spreads throughout the world, Websense Security Labs™ ThreatSeeker™ Network has noticed that thousands of Web sites relating to swine flu have been registered. The results of our monitoring indicate that most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware.
We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google.
The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future.
