17 June 2008

Facebook Phishing

I got an email from facebook that looked like a legit notification that one of my buddies have written on my wall. Except it was written in broken english:

"hello , howdy?? lisen i got a new friend here..shex kinda new here..maybe you can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =)
It was followed by the following link:
http://www.facebook.com.profile.id.aymacc.2810ly6l.dortos.net/facebook/index.php?id=5aaz6677&auth=j5xp2&cyua=hwy9e1l821
It looks pretty legit at first glace, but if you take a close look you will notice that the domain is actially for dortos.net.
Whois information from whois.net

Now the thing that I found wierd was that when I logged into my profile on facebook I still got a notification about the wall post, but there was no post on my wall.

I cautiously opened the link to the fake profile and Firefox 3 Beta blocked it. (See screenshot)

I then decided to open the page up in IE8 and guess what. It looks identical to the facebook login screen. Except that it aint. (screenshot below)


This is a typical phishing attempt. I imagine that my buddy who sent the origional wall post recieved the same thing and his account was compromised. My personal information was then obtained through his profile and a wallpost was placed on my wall.

I am not sure exactly what is going on, but I recon there will be some information once the security researches around the world get a similar "phantom wall post".

I guess this is another reason to upgrade to Firefox 3 :P

No comments: