Facebook Phishing Via Tumblr
This one took a while to unravel, and we're missing a piece or two, but it's still worth writing about.
We noticed some odd traffic going to a brand new domain yesterday: maal1.pw
Interestingly, the traffic was coming from a bunch of random/junk Tumblr "sites":
Here's an example of what the pages looked like:
That section of the Tumblr page HTML looks like this:
That's where the trail went cold for me -- I couldn't get maal1.pw to do anything interesting when I visited. So I handed it over to Jeff, who has ways to make sites talk...
And here's what he found:
So it's a phishing attack, trying to get you to log in to Facebook...
But why would someone be doing this? What's the bait?
Unfortunately, that's one of the still-missing pieces, but we can make an educated guess if we switch ends and jump to the beginning of the chain: those Tumblr sites with the suspicious names.
Traffic to those sites, it turns out, is coming from facebook.com (or the mobile version, m.facebook.com).
It gets even more interesting if you see one of the specific pages, showing what the Facebook users saw as they were leaving to chase the bait:
The warning is worth a close-up:
I don't know how they could make it any more clear -- kudos to Facebook for doing their part.
But plenty of people clicked the "Ignore Warning" button anyway. Whatever they'd been convinced they needed to see by a Facebook "friend" (probably some kind of salacious video link) overrode their common sense, even in the face of an explicit security warning. (Which is why the "Foolish Zebra" principle works so well!)
And then their own Facebook account would likely end up being used to send the spam on to their own friends...