Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Security Research

Facebook Phishing Pages

image
JULIEN SOBRIER
février 24, 2011 - 2 Min de lecture

Introduction

Facebook phishing pages are fake websites designed to look like the real Facebook login page. They trick users into entering their login credentials, which are then stolen by hackers. These stolen credentials can be used for identity theft, taking over accounts, or spreading spam and phishing attacks. To avoid falling victim, users should be cautious of suspicious links and enable multifactor authentication (MFA) on their accounts.

Domains

On 02/13/2011, Zscaler ThreatLabz found several domains used for Facebook phishing, all of which were registered the same day:

  • securedirectsite.com
  • directsecuresite.com
  • securedsitedirect.com
  • highsecuritydirect.com
  • securedsitedirect.com
  • officialsecuredsite.com

These domains contain the same page: a simple form to enter a Facebook login and password.

Figure 1: Facebook Phishing page.

Figure 1: Facebook Phishing page.

After entering the credentials, users are redirected to http://www.facebook.com/pages/Image-hosting-service/106354426063487#!/album.php?profile=1&id=208421665712, which lands the user at their Profile Pictures page. If the user was not yet logged into Facebook, they must login "again". The phishing page does not post the credentials to Facebook on the user's behalf.

Fast-Flux DNS

All of the domains were registered by the same individual in China.

Figure 2: WHOIS information for highsecuritydirect.com

Figure 2: WHOIS information for highsecuritydirect.com.

The domains are bound to multiple IP addresses that change rapidly (aka fast-flux DNS):

Figure 3: DNS information for highsecuritydirect.com

Figure 3: DNS information for highsecuritydirect.com.

They all use the DNS server fbnameserver.com, which has been used for other Facebook phishing sites in the past.

Random Redirections

On 02/14/2011, these 6 domains where redirecting users to http://www.google.com/ in the morning. In the afternoon, they redirected users to http://www.facebook.com/

On 02/16/2011, they seem to display the phishing pages all the time. We do not know why these redirections were set up earlier.

As of 02/16/2011, these domains are not yet blocked by Google Safe Browsing.

Conclusion

In February 2011, phishing domains targeting Facebook users were discovered. These Chinese-registered domains featured login pages and employed fast-flux DNS to evade detection. Despite random redirections, they remained unblocked by Google Safe Browsing (as of 02/16/2011), posing a continued risk to users.

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.