Facebook Phishing Scam
Saturday, 24. November 2007, 00:44:59
So today I've spent about an hour in total going through people's various Facebook accounts. Why? Because people are stupid.
Someone set this fake Facebook page up and set it going around the internet. It basically looks like a Facebook login page, but if you check the address bar you'll notice the site is actually hosted at photos-c-ak.com and not facebook.com. Obviously some people aren't clever enough to realise this and attempt to login.
Logging in doesn't actually log you in; it just takes what info you've put in the form (ie, your email address and password) and then saves it to a text file. You will be then taken to the real Facebook login page to sign in, if you're not already, and then onto the photo / video / page you're meant to be looking at. The victim is non-the-wiser to what's happened.
You can view the big long list of people's names and passwords by reading the text file. This is just one of a few text files to store this information - so there's more people that's been fooled by this than what you see there. And, because the scam has been posted on various internet forums, there's lots of fake login details.
Minor details aside, the major issue is that you can have the most secure password in the world; human error (ie, not recognising a fake site when you see one) will prevail. Whilst this is the case, there are a few steps you can take to prevent any phishing attempts you may encounter:
-
Check the address bar
When signing in on a website, check the address bar to make sure it's a real website. Make sure the Facebook Login page says http://www.facebook.com/login.php, or http://mmu.facebook.com/login.php - the important part is that the .com comes after 'facebook'. If the address reads http://www.facebook.hs.com or http://facebook.photos-c-ak.com - for example - that's fake. Do not proceed. -
Use a good web browser
Whilst a web browser can't offer 100% protection, you should make sure you're using a browser with built-in Fraud Protection. Opera Web Browser is fast, free, safe, secure and has fraud protection. If you come to a fake website that's ready to steal your login details - you're more likely to be alerted to this. View a demo of how this works - then download Opera. -
Use multiple passwords
Make sure your email account has a unique password to any other internet account you may have. If someone found out your Facebook password, they could change it - using your email address is the only way of retrieving your account from the intruders.
If your email account password is the same as any of your other website passwords - go change it now - an intruder could log into your email and change your password. This would essentially lock you out of ALL your accounts on the internet because email is used as a method of reclaiming your account / resetting your password.
I added the site to Phishtank - sorry to spoil anyone's fun. Hopefully some of this blog post was useful to you - even if it was only to provide entertainment in logging into other's Facebook and email accounts.
Staying safe on the internet is just common sense; but you have to know what to look out for to begin with.
Subscribe to coxy's blog:
Add to Google | Add to My Yahoo! | Add to Netvibes | Generic RSS Feed | widgetize!
WIDGETIZE
garydenness # 24. November 2007, 02:17
Firstly, in my opinion, Opera's security should come pre-enabled. Also, you had to register with Phishtank to report the site. People are lazy...you should be able to just click once to report.
Secondly, and more worryingly...Opera ok'd 2 of the 3 fake bank sites I visited. IE7 caught them all.
coxy # 24. November 2007, 09:30
I certainly agree that Fraud Protection in Opera needs improving; as you said, the feature should be switched on as default. And, whilst it's understandable as to why a Phishtank acount is required to report fraudulent sites, there should be some sort of option for handling anonymous submissions.
Another problem I have with Phishtank is that the submission process assumes that each phishing attempt stemmed from an email - a reqired field of the form being 'Contents of email body'.
At the end of the day though, I'm glad the Fraud Protection is in Opera (limited protection is better than no protection) and will take satisfaction in knowing it was there before Firefox (which dooes have a similar feature - that is on by default, D'oh!)
benroger16 # 24. November 2007, 18:30
but I haven't use IE since a long time ago... and I'm not planning to do it
I'm using a Mac, so I use Safari and Opera, and I love both browsers
I certainly agree that fraud protection in Opera is not on by default,
hopefully next version will be "Fixed" (No, I don't think this is the right
word, it doesn't need to be fixed, just improved)
Myisi # 3. December 2007, 16:43
Anonymous # 5. January 2008, 18:36
all you people with your IE and your opera, i use firefox and im proud of it!
Anonymous # 17. April 2009, 22:49
none of these websites work with facebook... hmmm
they all say incorrect password and username combination
coxy # 22. April 2009, 18:59
Anonymous # 24. April 2009, 19:05
Hey Buddy,
Thx for the reach info, this problem has happened with my friend (even that he is an expert IT) but it's really hard to prevent yourself from opening a link that lead to facebook when the msg is sent from you X girlfriend asking you to check her new photos.
But we immediately found out that the address bar was conducting to a similar website as facebook but with some additional characters.
But I think when someone wants to publish his ideas in a public way he'd better use other words rather than ppl are stupid, not clever enough, and so on... if we are professional, we don't have to expect that all the other ppl have the same experience, am I right?
Myisi # 4. September 2009, 15:37
Anonymous # 21. November 2009, 06:28
saya belum menerima email konfirmasi