Phising on Facebook...

August 2009

Facebook was the target of two independent and non-related phishing attacks through its applications service. Two security experts discovered, investigated and reported these attacks to the social network’s admins, who took all the protection measures. The first one was was an application called Customer Dispute. The application link did not open an actual app page, but managed to clone a Facebook URL (apps.facebook.com/customer_dispute/ ). Instead of the standard application install screen, it printed a “404 – Page not found” error. The detail that triggered the expert’s interest was the fact that the error was NOT FROM FACEBOOK, but from a hosting company called Ripway. A researcher had this to say about Ripway: “The entire content is taken up by a ‘Page not found’ message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).” The second attack was about another Facebook application. The app sent out countless notifications informing users of a comment on one of their posts that they needed to check out. The link (when hovering the mouse over it) redirected to a page from the fucabook.com domain name that contained some info-stealing content.

According to Mr. Ferguson, “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.” He also added, “The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.”

This attack did not attempt to steal any financial data, but it tried to acquire account credentials that could have been used to send out spam or other phishing attacks afterwards.