Techcrunch are reporting a new bout of phishing attempts that mimic facebook. The idea is simple, you receive an email from a friend with the invite to look at something ‘cool’ at a link – in this case fbstarter.com
Opening the link brings you to a screen similar to the facebook sign-in page, but obviously not hosted at www.facebook.com. Signing in will thus give your username and password away to who ever is running the scam.
This follows on from similar phishing scams in the last couple of days at FBaction.net, which were quickly shut down.
It’s an interesting, and no-doubt worrying development for facebook. One of the reasons it’s a clever phishing attack is because it understands the common way people use their facebook account. Most of us are familiar with – and perhaps unsuspecting as a result – with content links that produce the facebook login. If you click on the ‘share this’ link below for facebook, for example, and you’re not signed in to your account, you’ll be taken to a perfectly legitimate facebook login page.
The easy rule of thumb, though, is to never click links from emails unless your 100% sure of its safety. Try to check the actual url, as opposed to the text showing up in your mail, before clicking it – and never ever enter in your username or password on a subsequent page.
And the advantage for the scammer?
Well one big one is that we tend to have more faith in links posted directly by our friends on facebook – having access to many compromised accounts potentially allows these scammers to launch other sophisticated phishing attacks in a zone where people are naturally more trusting.
More details here:
http://www.allfacebook.com/2009/04/facebook-phishing-scam/#comment-26065