We have reported a number of Facebook phishing
pages and scams
on this blog. Attackers always come up with clever ideas to fool users in order to obtain their credentials. One of these phishing tricks is a "poor-man" session hijacking attack whereby the user is fooled into copying and pasting a Facebook URL containing the session ID or other credentials into a malicious page. I'll describe such an example that I spotted this past weekend.
The phishing page starts with the usual bait, a video. This time, no sex, but instead an opportunity to watch "Jackie Chan died after perfecting a deadly stunt. Jackie Chan falls from a building of 12 floors.
|Jackie Chan died! |
The user must click to verify his age, another common trick to get users to click on the page. This displays a list of steps to "verify your age" which involve clicking on another link, copying a link from the window opened, and submitting the data.
|Steps to "verify" the user age |
The new window points to Facebook. The window is too small for the user to understand what he is copying. Also, instead of opening a page, the URL used is "view-source:https://www.facebook.com...
". This makes it one step harder for the user to understand that the window displays a page from Facebook.
|Popup window open by the phishing page |
When the user copies and pastes their Facebook URL into the 3rd party web page, they're also sending their authentication token used share content. Once this is done, the scammer can now post content on the user's behalf.
Fortunately, Facebook reacted quickly to this particular scam. The Facebook popup is not valid anymore and it shows the following warning:
|Warning from Facebook |
When subsequently logging into Facebook after viewing the scam, I also received a warning about phishing pages:
|Warning about phishing pages |
It looks like Facebook has reacted much faster than they have in the past and added additional warnings for end users. I was asked by Facebook to review my timeline for any suspicious activating just after I logged in. Hopefully more Facebook users will learn about these phishing techniques and will be able to spot them early on.