Since I’ve already gotten two of the spam Facebook messages today, I figure other people probably are, too. What sets this phishing attack from others? For one, no obvious misspellings:
John Doe sent you a message. Subject: Hello "Check 121.im" To reply to this message, follow the link below: http://www.facebook.com/n/?inbox/readmessage.php&t=1146328106860&mid=764a5aG638f2G2a6619cG0 ___ This message was intended for email@example.com. Want to control which emails you receive from Facebook? Go to: http://www.facebook.com/editaccount.php?notifications&md=bXNnO2Zyb209MjQwMjc0MDt0PTExNDYzMjgxMDY4NjA7dG89NDA3Nzk0 Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301.
Pretty much identical to a regular Facebook message:
John Doe sent you a message. -------------------- (no subject) Great to see you the other day. The artist that I was trying to think of was Thomas Barbey: http://www.facebook.com/l/;https://www.artifactsgallery.com/art.asp?!=A&name=Thomas%2520Barbey%2520Photography&ID=787#LINKS - John -------------------- John has shared a link with you. To view it or to reply to the message, follow this link: http://www.facebook.com/n/?inbox/readmessage.php&t=1099969910945&mid=742ccdG638f2G2a40a06G0 ___ This message was intended for firstname.lastname@example.org. Want to control which emails you receive from Facebook? Go to: http://www.facebook.com/editaccount.php?notifications&md=bXNnO2Zyb209NDAyMzEwO3Q9MTA5OTk2OTkxMDk0NTt0bz00MDc3OTQ= Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301.
If you click through the link, even the log in pages are pretty identical (click image to enlarge), mostly differing in that the real one offers “English” as an option below, prompts that you must log in to continue, and has a (very slightly) wider “Sign Up” button. Tricky, particularly since Facebook doesn’t automatically use SSL encryption (manually go to the more secure version at https://www.facebook.com, and many browsers will display a green indicator in the address bar to let you know you’re at the legit location).
Still, it’s a good reminder that avoiding phishing traps is easy: Always, always, always look at the address bar when you enter your password and username for any website, whether it’s a bank, social networking site, or e-mail. Even if only a trivial account is compromised, many users use the same passwords across all their logins, meaning big trouble even if it’s the most clueless script kiddie who gets your data.
Update: Facebook has acknowledged the virus, and is taking steps to thwart its effects, the L.A. Times reports.
“This is a phishing attack. We’re well aware of it and are already blocking links to these new phishing sites from being shared on Facebook,” Facebook e-mailed the LA Times. “We’re also cleaning up phony messages and Wall posts and resetting the passwords of affected users. We think this is related to the fbaction.net/fbstarter.com campaign of a couple weeks ago. “
Facebook has also put a better anti-phishing blog post than mine on preventing attacks, though it would be nice (if expensive to them) to make SSL the default connection.
Update 2: Removed some Real Life (TM) first names I'd accidentally left in, to protect the innocent and guilty. Further Reading:
- What to do if you get hit by the Facebook brunga.at virus attack
- Facebook virus attacks continues: Check kirgo.at, nutpic.at, and brunga.at continue to lure unwary
- Facebook says "Check 121.im"; Common sense says don't
- Facebook's blog post on how to Protect Yourself Against Phishing
- Find your Facebook message history