coxy's blog

Facebook Phishing Scam

Saturday, November 24, 2007 12:44:59 AM

, , , , , , , , ,

So today I've spent about an hour in total going through people's various Facebook accounts. Why? Because people are stupid.

Facebook Scam / Phishing Login

Someone set this fake Facebook page up and set it going around the internet. It basically looks like a Facebook login page, but if you check the address bar you'll notice the site is actually hosted at photos-c-ak.com and not facebook.com. Obviously some people aren't clever enough to realise this and attempt to login.

Logging in doesn't actually log you in; it just takes what info you've put in the form (ie, your email address and password) and then saves it to a text file. You will be then taken to the real Facebook login page to sign in, if you're not already, and then onto the photo / video / page you're meant to be looking at. The victim is non-the-wiser to what's happened.

Facebook User Passwords List

You can view the big long list of people's names and passwords by reading the text file. This is just one of a few text files to store this information - so there's more people that's been fooled by this than what you see there. And, because the scam has been posted on various internet forums, there's lots of fake login details.

Minor details aside, the major issue is that you can have the most secure password in the world; human error (ie, not recognising a fake site when you see one) will prevail. Whilst this is the case, there are a few steps you can take to prevent any phishing attempts you may encounter:

  1. Check the address bar
    When signing in on a website, check the address bar to make sure it's a real website. Make sure the Facebook Login page says http://www.facebook.com/login.php, or http://mmu.facebook.com/login.php - the important part is that the .com comes after 'facebook'. If the address reads http://www.facebook.hs.com or http://facebook.photos-c-ak.com - for example - that's fake. Do not proceed.

  2. Use a good web browser
    Whilst a web browser can't offer 100% protection, you should make sure you're using a browser with built-in Fraud Protection. Opera Web Browser is fast, free, safe, secure and has fraud protection. If you come to a fake website that's ready to steal your login details - you're more likely to be alerted to this. View a demo of how this works - then download Opera.

  3. Use multiple passwords
    Make sure your email account has a unique password to any other internet account you may have. If someone found out your Facebook password, they could change it - using your email address is the only way of retrieving your account from the intruders.

    If your email account password is the same as any of your other website passwords - go change it now - an intruder could log into your email and change your password. This would essentially lock you out of ALL your accounts on the internet because email is used as a method of reclaiming your account / resetting your password.

Fraud Protection in Opera

I added the site to Phishtank - sorry to spoil anyone's fun. Hopefully some of this blog post was useful to you - even if it was only to provide entertainment in logging into other's Facebook and email accounts.

Staying safe on the internet is just common sense; but you have to know what to look out for to begin with.

Subscribe to coxy's blog:
Add to Google | Add to My Yahoo! | Add to Netvibes | Generic RSS Feed | widgetize!

Alcopop! + Caged Elephants + Dancing Horses + Fourteen Corners = This Blog PostDetroit Rock City

Comments

Matt Coxcoxy Saturday, November 24, 2007 9:30:32 AM

Ouch, IE with better fraud protection than Opera? To be honest, I didn't even know IE had such a feature.

I certainly agree that Fraud Protection in Opera needs improving; as you said, the feature should be switched on as default. And, whilst it's understandable as to why a Phishtank acount is required to report fraudulent sites, there should be some sort of option for handling anonymous submissions.

Another problem I have with Phishtank is that the submission process assumes that each phishing attempt stemmed from an email - a reqired field of the form being 'Contents of email body'.

At the end of the day though, I'm glad the Fraud Protection is in Opera (limited protection is better than no protection) and will take satisfaction in knowing it was there before Firefox (which dooes have a similar feature - that is on by default, D'oh!)

Roger 'Ben' Benítezbenroger16 Saturday, November 24, 2007 6:30:35 PM

Well, I know Opera needs improving,
but I haven't use IE since a long time ago... and I'm not planning to do it
I'm using a Mac, so I use Safari and Opera, and I love both browsers
I certainly agree that fraud protection in Opera is not on by default,
hopefully next version will be "Fixed" (No, I don't think this is the right
word, it doesn't need to be fixed, just improved)

Myisi Monday, December 3, 2007 4:43:14 PM

I have Facebook but i never think alll that you say.... it`s true

Anonymous Saturday, January 5, 2008 6:36:42 PM

Anonymous writes: all you people with your IE and your opera, i use firefox and im proud of it!

Anonymous Friday, April 17, 2009 10:49:08 PM

Anonymous writes: none of these websites work with facebook... hmmm they all say incorrect password and username combination

Matt Coxcoxy Wednesday, April 22, 2009 6:59:51 PM

Yes - because right now they'd have changed most of the usernames and passwords. This blog was posted quite a while ago.

Anonymous Friday, April 24, 2009 7:05:55 PM

OT writes: Hey Buddy, Thx for the reach info, this problem has happened with my friend (even that he is an expert IT) but it's really hard to prevent yourself from opening a link that lead to facebook when the msg is sent from you X girlfriend asking you to check her new photos. But we immediately found out that the address bar was conducting to a similar website as facebook but with some additional characters. But I think when someone wants to publish his ideas in a public way he'd better use other words rather than ppl are stupid, not clever enough, and so on... if we are professional, we don't have to expect that all the other ppl have the same experience, am I right?

Myisi Friday, September 4, 2009 3:37:05 PM

Hey people. but it's not true now because you can loging here in farefox now!!

Anonymous Saturday, November 21, 2009 6:28:45 AM

haryanto arby writes: saya belum menerima email konfirmasi