For the last two weeks, a phishing and malware scam propagated virally through Facebook, taking control of member accounts and blasting their friends with bogus messages. Today, a new wave of attacks hit, getting broader traction than ever, despite Facebook's best efforts to combat the scheme.
When I first wrote about the scam a week ago, Facebook said it was taking the necessary actions to rehabilitate zombie accounts and stop any messages containing links to phishing sites or malware downloads. Since then, another rash of attacks occurred in the form of spam email that appears to be sent from Facebook.
Good enough to fool Gmail's spam filter, these bogus emails (one example seen above) are the hackers' entry point into the Facebook network. The messages ask users to click a link inside the message and login to Facebook. Users are then taken to a bogus Facebook page, where entering their credentials surrenders them automatically to hackers. Once the hackers take hold of an account, they turn them into springboards for message blasts to a selection of that user's Facebook friends. The messages contain links to malware download sites and other phishing sites that ask users for personal and financial information.
Facebook combats the proliferation of these zombie accounts in two ways: first, they identify the accounts that are sending the bogus links out, and second, they remove any message from their server that contains one of those links. Those actions are automated; Facebook can search its servers for known phishing or malware links, and respond automatically. In theory, this should stop the scam in its tracks. So why hasn't it? (Below, a bogus Facebook message.)
One answer, simply, is that Facebook users are being easily fooled. Facebook has reminded users to only enter their credentials into a site that originates from facebook.com, not another "one-off" URL. A common origin of some of the spam emails floating around is facebookmail.com, which is a one-off address not affiliated with Facebook.
But the spam emails that are hitting users aren't very well composed; they pose as message alerts from friends you don't have, or ask you to recommend new friends to users you don't know. Once a zombie account begins its malicious work, those messages aren't very good, either. Sure, they come from people you know--but the message itself is often written in garbled English, or contains a generic exclamation that, well, just doesn't sound like anyone you know. It's hard to fathom that users are being duped at a rate sufficient to keep this thing alive, considering how aggressively Facebook said it's attacking the problem.
It's also known that the hackers aren't getting the best mileage out of each zombie account they pwn. Whatever script they wrote to automate message-sending within Facebook only sends messages to 15 or 20 friends at a time, out of hundreds or thousands. Presumably they've done this to assure that Facebook can't identify a pwned account simply by its message volume, but they've also hampered the efficiency of the spread. In short, this scam is equipped like the common cold, but it's spreading like Ebola.
The only answer to its remarkable propagation: the scammers are coming up with hundreds or thousands of bogus links--perhaps automating the link-generation--so that each time Facebook eradicates a known bogus link from its servers, a new one is right behind it. But it's hard to fathom that anyone who'd run a scheme this amateurish--pro hackers would have crafted a worm that dug directly into Facebook's network--would be able to keep ahead of Facebook's security team.
Have you been hit by phishing or malware links, either in a Facebook message or an email? More than one? When did you get it?