Malicious @Facebook App Stealing User Credentials

I received a Facebook app request this morning from a friend who NEVER sends app requests my way. What was even more suspicious was the name of the app:

Updates Data Security Use Policy on Facebook

Sounds like a winner, right? Turns out that this malicious app isn’t even an app at all, not it the traditional sense. The app description page redirects users to a fake Facebook login page hosted on lydihost.com, even if users visit the apps.facebook.com URL in a browser that is currently not authenticated to Facebook.

Fake Facebook login page
Fake Facebook login page

As social engineering attacks go, the page is a work of art. All of the non-malicious links point back to the actual facebook.com domain, while the page is designed to accept any credential set you throw at it.

But it doesn’t stop there…

The next page presented to the user is a spoofed Update your security information screen.

Fake Facebook account recovery information
Fake Facebook account recovery information

Unsuspecting users will not only give up their current Facebook username and password, but also the answers to password reset questions that could be used to compromise other online accounts (like the email account they used to register with Facebook).

For the geeks in the audience, I’ve included a few choice excerpts from the HTTP headers below. The attack is designed to bounce users back and forth across multiple domains, including two URL shortening services. Considering the attack required the registration of multiple domains, the creation of spoofed Facebook pages, and what had to be a reasonably well-thought out test plan to make sure the whole thing worked, one has to wonder all this trouble was worth it.

Then you remember that Facebook reported one billion monthly active users in October 2012. If even one tenth of one percent (0.1%) of those users fall for this attack, the attackers would be sitting a set of 1,000,000 valid Facebook credential sets, not to mention any ancillary accounts they would be able to compromise with the security questions.

While my first instinct was to report the app to Facebook, I still haven’t figured out how to do so. It would be a HUGE security if Facebook were to provide security-conscious users with a simple, straightforward mechanism for reporting suspicious apps. Just sayin’…

HTTP Header Excerpts

(I know it goes without saying, folks, but I’m going to say it anyway. These URL’s are untrustworthy. Don’t visit them. I’ve inserted space characters in the domain names to nullify the links here in this post.)

  • GET https:// apps. facebook. com/284253081697049/?fb_source=notification&request_ids=106795032831424&ref=notif&app_request_type=user_to_user&notif_t=app_invite
  • POST https:// tinyurl. com/pepek-states-amerika/?fb_source=notification&request_ids=106795032831424&ref=notif&app_request_type=user_to_user&notif_t=app_invite
  • GET http:// unitedstates. aprajitaindia. org//?fb_source=notification
  • GET http:// facebook-com-warning-unitedstates. lydimport. com/notice/?login_attempt/?fb_source=bookmark_apps&ref=bookmarks&count=1&fb_bmpos=2_1/?login_first=1
  • POST http:// kuciang. 5gbfree. com/unitedstates/log_fb.php?login=attempt=1
  • GET http:// bit. ly/UCn1G0
  • GET http:// completedata-com. teamoneholding. com/update-security-info.php

 

UPDATE 1 (2013-01-16): I received another request this morning from a similar app, this one named Updates FBData Security. This app appears to be a variation of Updates Data Security Use Policy, using the same landing page to dupe users into giving up their credentials.

URL’s for these apps are included below. I’m still looking for a way to report these malicious apps to Facebook. Any ideas? Comments welcome.

  • Updates Data Security Use Policy (https:// apps. facebook. com/284253081697049/)
  • Updates FBData Security (https:// apps. facebook. com/511078398914575/)

 

UPDATE 2 (2013-01-16): Finally found the “Report an App” option on Facebook. Unfortunately, it doesn’t work. Neither app appears in search results, and visiting each app’s homepage automatically redirects users to another domain. Similar issue as Facebook’s broken password reset feature. Clever attackers are building attacks that elude or circumvent the mechanisms Facebook has in place to protect their end users.

I’ve used Facebook for years, and I admire their continual efforts to improve both their security and privacy controls. Their preventative controls are normally effective, but there is definitely room for improvement in their responsive controls.

Facebooktwittergoogle_plusredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *