Click here or scroll down to read the latest update (30 August).
The Information Warfare Monitor (IWM) has uncovered an attempt to use a fake URL and login page to lure Facebook users into providing their login credentials. Given the nature of the content being linked to, this appears to be an attempt to target pro-revolution Syrian Facebook users. The link (hxxp://facebook.com-video-php-v222423423.homsrev.webgoof.com/video/video.php) attempts to mimic the URL and login page of Facebook, as seen in Figure 1. It has been distributed through multiple Syrian Twitter accounts, which describe the content as a “fascinating video clip showing an attack on Syrian regime”. The use of Twitter accounts to distribute malicious links is a common tactic and has been documented by past Information Warfare Monitor research.
IWM researchers were able to login to this Facebook page using newly created login credentials, at which point we were re-directed to the legitimate Facebook login page. Tweets from August 29, 2011 have added a note explaining “you will be asked to login twice as an extra security measure”. This is likely an attempt to mask the suspicious URL by immediately re-directing to a legitimate one.
The source code of the fake Facebook page contains a description in Arabic which reads “An excellent operation by Khalid brigade that killed 6 Shabiha in the Syrian city Homs.” Shabiha is an Arabic term used by Syrian opposition groups to describe the regime’s militias. This message provides further evidence that this page was indeed set up to target pro-revolution Syrian users.
This fake Facebook page is hosted by the U.S. based hosting provider webgoof.com, whose domain name was registered on August 4, 2011. This hosting provider is a sister company of TechniHost, a web hosting provider based in Ohio. The Information Warfare Monitor alerted TechniHost of this issue and the account has since been suspended.
This issue has been reported elsewhere in an Arabic language blog post entitled “How Syrian Electronic Army Hacks Facebook pages’, which warned users about the attack.
Previous research of the Information Warfare Monitor has documented activities of the pro-regime Syrian Electronic Army, which included compromising several Facebook pages run by Syrian opposition groups. However, we are not able to determine who is behind this particular attempt to harvest Facebook credentials.
Updated: 30 August 2011
Further IWM research has uncovered that this Facebook phishing attack is likely not the only attempt by malicious actors to use this hosting provider as a means of harvesting login credentials. A number of other similar sites have also been hosted by webgoof.com:
The highlighted URLs (above) provide some circumstantial evidence that these attempts to harvest credentials are linked to the Syrian Electronic Army (SEA). Past IWM research has documented instances of the SEA defacing and spamming opposition websites, including Facebook pages.
IWM researchers contacted Techni Host (the sister company of webgoof.com), who immediately removed the fake Facebook pages. We continue to work with Techni Host to investigate this issue. We have also contacted Facebook and other providers’ security teams about the compromised accounts, and have communicated our concerns to the Syrian community as broadly as we can.
If users believe their credentials have been compromised, they should change their passwords urgently.
Users can notify Facebook of compromised accounts here: http://www.facebook.com/hacked/. If users have used the same password on multiple sites (including the webmail accounts used to create a Facebook account) they should change these to a new strong password as soon as possible.
Users should always take precautions to ensure their accounts remain secure:
- Users should always ensure they are logging into the site they intend to. The above URLs closely resemble the legitimate Facebook URL, which may easily deceive users.
- Users should always use the secure HTTPS login for Facebook and other sites, where possible. For Facebook this login is found at: https://www.facebook.com/login.php
- Users can be notified whenever their account is logged into from a device they did not approve. Instructions for enabling login notifications can be found here: http://www.facebook.com/blog.php?post=389991097130