Another wave of Facebook phishing is spreading among Facebook users. Imagine you get a message from another Facebook user with a link to a new amazing Facebook app. Even if the sender is not your friend, you decide to go to the link. Instead of an application you see a fake Facebook login page. But here’s the catch – you don’t know it’s a fake!
Recently we have encountered a lot of Facebook apps which do nothing but redirect users to a fake Facebook login page. You cannot recognize from the link that the application has no real content. The URL of the application looks like http://apps.facebook.com/app_id where app_id is 15-digit identification number of the application. The application link usually contains its name (http://apps.facebook.com/app_name), but using the application ID in the link is also possible.
When you click on the link, you land on one of many domains hosted on 126.96.36.199, 188.8.131.52, 184.108.40.206 or 220.127.116.11.
To convince Facebook users that the website is located on 'facebook.com' the lowest level subdomains are always 'facebook.com.profile.accounts.login'. The website that you find here does not differ much the legit Facebook login page. Hence, it makes an impression that when you visited the application, something went wrong and you were automatically logged out. But if you check your address bar, you see that you are not on the regular Facebook login page.
In addition to the URL in the address bar there are other small differences between this fake login page and the legit one. You will notice that the fake login page is available only in English. If you try to click on another language and change it, nothing happens. Similarly, 'Forgot your password' link does not work as well as links to 'Help' or 'Developers' at the right corner of the page. The Facebook copyright notice is dated 2012 instead of 2013.
If you miss all these warning signs and fill in your username and password and try to login, you are redirected to http://www.youtube.com. What happened with your username and password?
We compare the source code of the fake and legit Facebook login page and look closely at the part with the login form. Instead of the official php login file on http://www.facebook.com/login.php the attacker uses the php file called 'next.php' which is located on his server or free hosting server. The php file 'next.php' enables the attacker to save your login information to a text file. After that, the attacker just checks the text file to get your password and he has an open door to your Facebook account.
Login form of the legit Facebook login page:
Login form of the phishing login page:
The best way to protect your online accounts from phishing attacks is to be careful where you write your password, always check the URL in the address bar before you log in and use avast! Internet Security. All mentioned ip addresses are blocked by avast! antivirus as well as all malicious domains that are hosted there. Moreover, the phishing login page is detected with the detection called HTML:Phish-O [Trj].