Phishing for Phacebookers
Ryan Singel reports in Wired on a phishing scame is targeting Facebook users:
Some Facebook users checking their accounts Wednesday found odd postings of messages on their “wall” from one of their friends, saying: “lol i can’t believe these pics got posted…. it’s going to be BADDDD when her boyfriend sees these,” followed by what looks like a genuine Facebook link.
But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords.
Myspace has faced a constant battle against spammers and phishers. Facebook has thus far kept things under much better control, but recently I’ve been starting to see a lot more spam postings in groups. It’s not that this affects my overall experience much (fortunately most groups don’t allow people to send mail to all members), but it’s a worrying sign: if accounts can be hacked enough to post to groups, what else can attackers do?
Hackers can use the compromised profiles to host Trojan horses such as key loggers that go on to steal banking passwords and credit card numbers.
And since many people use the same logins and passwords on multiple sites, the hackers can also check if stolen Facebook credentials will log them into eBay or Amazon, for instance.
Oh yeah, stuff like that. Not good.
It’ll be interesting to see how Facebook responds. Now would be a great time to implement some kind of community spam flagging system … but of course unless it’s something they’ve already been working on that’s easier said than done. We shall see …