Phishers Strike Facebook in Latest Assault

By Alex Goldman
Another day, another Facebook phishing scam -- and another reminder of online criminals' persistence in targeting the social networking giant.

The most recent scam is known as "areps.at," after the domain to which it initially directed users to trick them into disclosing their Facebook login information.

The areps.at domain has since been blocked, though the attack has moved on to directing users to the bests.at domain, AppRiver senior security analyst Fred Touchette said in an e-mail to InternetNews.com.

"At the time the AppRiver Security Team checked these domains, the areps.at site was down. However, the bests.at site was running and directed visitors to a fake Facebook login page," Touchette said.

The consequences of falling prey to areps.at are immediate. "Once visitors entered credentials on that page, the credentials were collected by scammers as the unsuspecting visitors were then redirected to the official Facebook page," Touchette said.

The risk can often be to more than just a user's Facebook profile. Since many users frequently re-use the same passwords across a variety of sites, a successful Facebook phishing scammer could potentially gain illegal access to their accounts on other sites. For example, anyone who succumbs to the phishing attack and who also has the same user name and password combination for their Web-based e-mail will likely lose that account to the malware writers, experts have warned.

That paves the way for still more attacks: Phishers can then use victims' hijacked e-mail accounts to compromise other Web sites and to spread more messages containing malicious links.

It's the latest phishing attack to hit the social networking site, which is a frequent target of malware authors and scammers looking to capitalize on the site's popularity. And the frequency of the attacks on Facebook isn't lost on security researchers.

"Facebook users beware," Touchette said. "Again."

Staying safe

Facebook said the latest problem has proven relatively small.

"The impact of this attack or the previous ones are not widespread and only impacted a tiny fraction of a percent of users," Facebook spokesman Barry Schnitt said in an e-mail to InternetNews.com.

Additionally, the current spate of attacks appears limited to phishing activities, rather than distributing malware.

"Other than the phishing itself, no other malicious activities have occurred from this attack, yet. It appears scammers are still in the e-mail collection phase," Touchette said.

Still, that's likely to be cold comfort to users whose information has been handed over to the scammers.

Fortunately, Touchette said careful users can avoid being caught.

"Many of these phishing attacks are harder to spot," he said. This one, however, is quite simple to avoid. First, vigilant e-mail users should never follow links contained within unsolicited e-mails. Second, it is important to take notice of the address bar. Here, the fake login page domain name was bests.at."

"Obviously, there is no mention of Facebook within this address, and therefore provides a clue as to its malicious intent," Touchette said.

Facebook is contacting those affected, asking them to simply reset their password and advising them immediately run antivirus software.

The site is also urging users to never click on suspicious links. In the e-mail to affected users, Facebook does not warn them to check their accounts on other Web sites that could now be compromised by the scammers, but does mention the issue on its site and blog.

Schnitt also advised those affected to use a browser with a blacklist that blocks dangerous sites, to use unique logins and passwords for every Web site, and to be sure that the site they're logging on to is Facebook. He also urged users to check all sites -- not just Facebook -- if a user's information is compromised, and to check the Facebook Security page regularly. The company posted some screen shots of the attack to its blog.

"We believe the bad guys here are phishing an account and then trying those credentials on webmail providers. So, for example, if a user is compromised on Facebook and has the same login and password for their Gmail, the attacker may be able to intercept the Facebook password reset and compromise the account again in the future. This is one of the reasons why people need unique passwords for their online accounts," he said.

Facebook's Schnitt also said the site is taking steps to combat the problem from its end.

"We've been updating our monitoring systems with information gleaned from the previous attacks, so that each new attack is detected more quickly," he told InternetNews.com. "Our technical efforts and user education initiatives are significantly reducing the impact of each subsequent attack."

Still, at least one expert called on Facebook to take more direct precautions to avoid such attacks in the future.

"Finding a cost-effective mechanism for remediating phished accounts is now a priority for Facebook and other social network sites," Adam O'Donnell, director of emerging technologies at Cloudmark, said in an e-mail to InternetNews.com. "They need to figure out how to reset these people's passwords and contact them without priming their user population for an e-mail based phishing attack."

Other industry observers agree that Facebook and other social networking and user-generated content sites are in the crosshairs for online criminals -- making them potentially dangerous for businesses whose employees visit such sites.

"Sites allowing user-generated content comprise the majority of the top 50 most active distributors of malicious content on the Web," security firm Websense warned in a recent report.

Websense also said that it's difficult for IT managers to fight the problem, in part because end users might resist blocking social sites. It also said that a survey of IT managers found that 51 percent had reported users trying to circumvent enterprise security to access blocked Web sites.

Comments