Simplistic Facebook phishing attack seeks userIDs and passwords only
Posted on | May 21, 2009 | add a comment
There’s power in simplicity. That’s the upshot of the phishing attack now bombarding Facebook users. Many FB’ers are receiving messages titled, simply, “Hello.” The body of the text contains a brief imperative sentence: “Check areps.at” or “Check bests.at” Several USA Today staffers have received these bogus messages.
Clicking on the “areps.at” or “bests.at” hyperlink takes you to a realistic-looking, but counterfeit, Facebook login page, where you will be prompted to type your userID and password. You don’t have to be particularly gullible to fall for this. You can be in a hurry; multitasking on the ragged edge, networking multiple places, as part of a job where you’re being asked to do more with less.
If you click to the fake page and then type in your userID and password, the attackers will instantly change your password, and you’ll be locked out of your account, says Fred Touchette, senior analyst at AppRiver. The bad guys will then use your account to replicate the attack to everyone on your friends list.
Screenshot of fake login page
Since Facebook requires anyone who sends a message containing a hyperlink to first solve a captcha puzzle, these bad guys appear to be sophisticated and well-funded enough to retain third-party captcha breakers, whose services are necessary to keep an attack like this in motion. I wrote about the highly organized and remarkably efficient world of captcha breakers in this USA Today front page story.
So while the public facing side of this Facebook phishing attack is, indeed, minimalist, the back end makes use of leading-edge techniques, including a botnet to automate the spreading of these messages, as well as to coordinate captcha breaking in real time.
According to Symantec, this wave of Facebook phishing attacks began around May 1. Symantec agrees with AppRiver that, so far, the attackers are focusing on grabbing your friends lists and spreading, and not doing much else.
Attacks remain cheap, easy, highly-lucrative
This underscores two points: it remains cheap and easy for crooks to use botnets to automate phishing attacks; and there’s lucrative profit in getting even a small percentage of Facebook members to fall for the ruse.
Touchette
“Im willing to bet these people are jumping on the bandwagon and trying to take advantage of all the Facebook activity,” says Touchette. “It’s very curious that they lock out the user, which throws up a red flag. They certainly don’t have to do that.”
These particular bad guys do not appear to be interested in taking control of your PC and turning it into a data-stealing, spam-spreading bot. They appear to be focusing solely on harvesting Facebook usernames and passwords for their intrinsic blackmarket value.
Why so? Facebook usernames and passwords are highly marketable because many consumers use the same username and password for multiple accounts, including online shopping and banking. These data thieves can sell Facebook userIDs and passwords in the cyber underground to specialists who can use it to get access to your online financial accounts.
Best password practices
The lesson: it’s a very good idea — if you insist on doing online financial transactions — to create unique, complex passwords for each site you patronize.
Symantec suggests you get obsessed about these best practices:
- Use a combination of uppercase and lowercase letters, symbols, and numbers.
- Make sure your passwords are at least eight characters long.
- The more characters your passwords contain, the more difficult they are to guess.
- Try to make your passwords as meaningless and random as possible.
- Change your passwords regularly.
- Never write your passwords down.
- Never give them out-to anyone.
- Don’t use names or numbers associated with you.
- Don’t use your user name or login name in any form.
- Don’t use a derivative of your name or the name of a family member or pet.
- Avoid using a solitary word in any language.
- Avoid using easily-obtained personal information, such as license plate numbers, telephone numbers, social security numbers, your automobile’s make or model, your street address, etc.
- Never answer yes when prompted to save your password to a particular computer.
- Be suspicious of requests to enter your account name and password.
It’s safe to assume that Facebook is hustling to disable the bad links as they crop up. But AppRiver tells LastWatchdog that the bad guys, in an effort to stay one step ahead of spam filters, have begun directing message recipients to fake login pages at these links: brunga.at, kirgo.at, nutpic.at, and fcoder.at.
by Byron Acohido
Photo of Fred Touchette courtesy of AppRiver
