Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Facebook Falls Victim To Another Phishing Attack

Phishers use cryptic message to lure users into giving up their account information

Social networking site Facebook, which has been the target of several phishing and malware attacks during the past few months, is under the gun again.

Researchers at email and Web security service provider AppRiver on Thursday spotted a phishing exploit on Facebook that is spreading across the community. The phish enables hackers to steal logon and password data, as well as change end users' account information, effectively locking them out of their own accounts.

Security researchers at Cloudmark also have spotted the phishing attack.

The simple attack begins with an email message bearing the subject line "Hello," according to Fred Touchette, senior security analyst at AppRiver. The body of the message reads, "Check areps.at" The message then offers a Facebook link to reply to the message.

When users click on the link, they are brought to a fraudulent Facebook page that requests their account information and then routes them to their own Facebook page as it captures the login data, Touchette says. In some cases, the attackers use the login data to immediately change the users' passwords, effectively locking them out of their accounts.

In addition to areps.at, AppRiver has spotted the same attack coming from several other sources, including bests.at, brunga.at, kirgo.at, nutpick.at, and fcoder.at. These sources bypass some spam filters because they are not structured as full URLs, AppRiver researchers say.

The phishing attack is surprisingly simple and not particularly well-concealed, Touchette observes. For example, it doesn't require CAPTCHA authentication -- which Facebook usually does -- and the destination URL of the fraudulent login page does not contain the word "Facebook" -- which the real logon page does, he notes.

"We're not sure what the [phishers] were thinking, using such a simple attack and then locking users out of their accounts," Touchette says. "Usually, in more sophisticated [exploits] the attacker would quietly maintain access to the account for as long as possible, rather than tipping off the victim."

Both AppRiver and Cloudmark researchers say they expect to see more such attacks on Facebook because of its popularity and the site's viral nature of communications, which makes it easy for attacks to spread.

"Phishing and spam will continue to increase on social networks as users migrate large portions of their Internet activity, such as email, to these properties," says Adam O'Donnell, Cloudmark's director of emerging technologies. "Finding a cost-effective mechanism for remediating phished accounts is now a priority for Facebook and other social network sites. They need to figure out how to reset these people's passwords and contact them without priming their user population for an email-based phishing attack."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Tell him only Kevin Mitnick and the President know the launch codes.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...