Fake Facebook login phishing passwords

Yesterday, one of my facebook friends sent an email to all his friends with the subject of "Funniest video EVER - A monkey smoking a cigarette!". In the message was a link to a .info site. When I clicked there I was sent to a page that looked like I hadn't logged into facebook yet, asking me to login. Being the "trusting" person I am I looked at the URL and noticed it said login-facebook.info and not facebook.com. This was clearly a site trying to confuse me into typing my real facebook username and password into the forms so that they could then log in as me and do nasty things.

Wikipedia has a great description of phishing, which is what is happening here. "In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication."

Once they can log in as you they can contact all your friends in a way that they will trust is you, and download all the semi-private information that you have stored on Facebook. There is a wealth of information and access to other peoples information in most Facebook accounts. That information can then be leveraged with other information for further attacks, including "identity theft".

Please watch very closely what URL you are at when you are asked for usernames and passwords, or where any scripting is in place. If you are a Firefox user I recommend using the NoScript extension so that you can control what sites you will run scripts from. You should only run scripts from known trusted sites, and not simply to look at some 'cool video' someone said you should check out. There are likely equivalents to NoScript for other browsers, although I would always avoid using Internet Explorer given the design philosophy at Microsoft isn't to give you control over your computing experience (often they design the software to retain control over your computer, with their "Trusted Computing" platform being only one set of examples).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Tell me again why we use passwords to login to web sites?
SSL just protects from the guy next to you at the internet cafe sniffing the network.

Why aren't we using client-side certificates?
Why don't the banks' use them?
Why isn't the government of Canada's multi-billion-dollar "SecureChannel" capable of issueing them to it's citizens, or it's businesses?

I just don't get it. This problem was solved along time ago. Sure there are issues with how I get my certificate into that internet-cafe PC which I don't really trust.
(The answer is either: a) USB key, b) don't do that, c) use a second low-trust certificate, such that facebook can tell that you aren't at home, and should get reduced trust)