Earlier today a link to a phishing trojan Facebook App, supposedly a video of myself, was sent to me from a twitter account belonging to a channel partner which had been compromised.
The phishing app requested Facebook users to log in with their Twitter credentials. One obvious giveaway that this is a phishing app is, as can be seen from the screenshot, that you don’t have to be logged into Facebook to view the app.
Facebook Phishing App
If you entered your twitter user name and password then doubtless the hacker would do what they’ve done to other user accounts – send direct messages to all of your followers suggesting that they view a film of themselves on Facebook. What they also do (even if you enter a made up user name and password) is then direct you to a supposed YouTube video off Facebook (but on a page designed to look like Facebook) on a phishing site.
When the “YouTube” video image displayed it informed you that you need to update to Flash 10.1. Clicking the Install button would of course install a trojan virus on your computer causing untold havoc.
Phishing “Facebook” YouTube Video Website
Facebook Reaction
Upon reporting the malicious Facebook app it was promptly removed from the site and the phishing web page taken offline.
A Facebook spokesperson told us “We take the security of our users very seriously and we are constantly developing the tools and measures we have in place to detect and prevent fraudulent activity. When properly notified, we will quickly investigate all legitimate reports of security vulnerabilities and fix potential problems.
Security is an issue everywhere online so it’s important to be aware of the risks and learn how to protect your accounts and your computer. We advise people to read the tips on our Facebook Security Page.
These include advice on how to protect your browser activity, your operating system, as well as your Facebook account. We provide numerous tools to help you keep your computer and your account safe including free anti-virus protection.
We also offer a bug bounty programme for security researchers who help us identify vulnerabilities“.
If by any chance you were caught out by the malicious app then change your twitter password immediately. Also if you entered your Facebook login details on the phishing site you should change these too. This is an example of how vigilant you need to be and don’t trust or click on any links passed to you even if they purportedly come from someone you know.
