Last week I wrote about a phishing and malware scam that has plagued Facebook for weeks. It wasn’t quite a virus, because it affected Mac users–but it wasn’t entirely Web-based either, because some of the links it hawked were malware download sites. All in all, a pretty standard phishing scheme, with some clever scripting that allowed it to propagate itself inside Facebook. But how did it get in there to begin with?
A worm would have been too complicated to code, said our security experts, and would have been much more effective at penetrating the network; the scam we’ve been seeing the last couple of weeks has only achieved mediocre virality. And it wouldn’t make much sense for the hackers to create legitimate Facebook accounts and start there, because then their dispersal of the phishing messages could be tracked.
The answer dropped right into
FastCompany.com’s tipline this afternoon: a bogus email from a domain called Facebookmail.com, a known spam domain, that invites users to sign in to Facebook on a bogus doppelganger site. Once a user does this, the spammer gains their login credentials, and can use their account to blast out messages with their malware and phishing links. Check out the spammer’s artwork below.
After my first post ran, security expert Chris Wysopal, who I quoted in my story, contacted me to point out this piece of irony: right above my post was the FastCompany.com login, which accepts Facebook credentials. “If users get used to the look and feel of getting to a Facebook login by clicking on a link instead of using a bookmark, it teaches people that this is safe,” he wrote me. Color us guilty. Facebook advises to always check the URL in your browser to make sure it originates from http://facebook.com, and not a one-off domain.
Related Story: 10 Questions About the Facebook Hack Attacks