The Squirrels Are Watching

Facebook Redirect Phishing

Posted in Code and Tech by andrewfong on October 25, 2009

Two of my friends inadvertently gave away their passwords to a Facebook password phishing site yesterday. If you don’t know what phishing is, see the Wikipedia article.

Hypothesis: The way Facebook formats its links in e-mails actually makes it easier for phishing sites to trick some users into giving their info.

Phishing websites work by creating mirror images of other websites and tricking you into logging in to them with your account info from the other site. So let’s pretend I owned notfacebook.com. I could trick people into giving me their Facebook password by sending them to http://notfacebook.com/login.php, a page that looks exactly like the actual Facebook login page, except when you entered in your password, you would be sending it not to Facebook, but to me.

Now a lot of web users are getting savvy enough to detect these fake websites — it’s pretty obvious that any link that starts with http://notfacebook.com is fake. But what if you share that link on Facebook itself?

When you share a link on Facebook with someone, if that person’s privacy settings allow it, Facebook sends an e-mail describing said link. In the e-mail however, Facebook does not share the actual canonical link with you. It instead gives you a link which goes to a Facebook page that then redirects you to the actual link. For example, if I were to share the link for AndrewFong.com with you, Facebook actually sends you this URL: http://www.facebook.com/l/55dd3;AndrewFong.com (one reason Facebook does this is stat tracking — e.g. how many people actually click a link their friends send them).

The problem is that this creates the impression that third-party websites are actually pages on Facebook. If you click on the link above, it’s pretty obvious that AndrewFong.com is not Facebook, but if I were to make my homepage look like a Facebook login page, you might end up thinking that you were on the actual Facebook login page. After all, you clicked on a link that started with http://facebook.com, so it’s perfectly natural to expect that you’ll end up somewhere on Facebook. Furthermore, since Facebook requires logged out users to log back into the site to see a wall post or something else a friend shared, it’s also perfectly natural to see a Facebook login page when you click on that link.

People are even more likely to get duped if, instead of AndrewFong.com, I’m using clever domain names or gibberish. For example, if you saw http://www.facebook.com/l/55dd3;wallpostlink.pl/as3fa3g/share.php, would it be apparent on first glance that the end destination of this URL was not Facebook? I don’t think it is for most users.

What you’re supposed to do is check the URL in the actual address bar before signing in. Unfortunately, a lot of people forget to do this — there’s no reason to expect that clicking on a link in a Facebook e-mail that starts with http://facebook.com would send you to an external site. It also doesn’t help that Facebook currently doesn’t give you a warning you’re navigating to an external website if you’re already logged in (it does if you’re not logged in though — curious).

Of course, browsers and Facebook itself are supposed to mark these  links as suspicious and respond accordingly, but there’s always some lag time. So remember folks, always double check the domain of the website you’re on before logging in! If you’re not sure about the domain name, type facebook.com into the address bar of your browser and log in directly.

Advertisements
Tagged with: ,

5 Responses

Subscribe to comments with RSS.

  1. marlon said, on December 18, 2009 at 5:36 pm

    how do i get it to stop redirecting to the fake url. i type facebook.com in address bar, press enter, and it takes me to a page that looks like facebook. (something like this….toshiba.php) can’t get to real facebook site. what should i do?
    marlon

  2. vidit said, on January 18, 2010 at 8:49 am

    iv got the same problem,,,,,i did the csan as u mentioned nd dis is wt it says,,,,,,plz help me,,,

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:17:37 PM, on 1/18/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    […]
    O1 – Hosts: 79.106.2.131 localhost
    O1 – Hosts: 79.106.2.131 facebook.com
    O1 – Hosts: 79.106.2.131 http://www.facebook.com
    […]

    End of file – 9428 bytes

  3. Hax0r said, on June 22, 2010 at 5:47 am

    Its a desktop phishing,advanced way to phish…
    Go to my computer – local dick C – Windows – system32-drivers-ets- u will see host file
    open it….it at the end say:
    O1 – Hosts: xx.xxx.x.xxx localhost
    O1 – Hosts: xx.xxx.x.xxx facebook.com
    O1 – Hosts: xx.xxx.x.xxx http://www.facebook.com
    dellete all of it (xx.xxx.x.xxx-are IP of phisher)


Comments are closed.

%d bloggers like this: