Friday, 21 September 2012

False Flag Phishing


There is a form of phishing becoming more common on Twitter that is likely to fool even the most suspicious of users. I very nearly fell for it myself.  What stopped me? Unlike me, the person who purportedly sent me the message doesn’t make the sort of spelling mistakes that were in the message.

The message was simple, and from someone who might well send me a Direct Message. It read “Whatt are you doing in this FaceBook vid?” and it had URL attached. It looked so genuine that decided to follow the link using my “sacrificial” laptop.  It showed a site that, frankly, looked for all the world genuine:

The URL was actually part of apps.facebook.com, which one could be forgiven for believing had genuine “Apps”.  Sadly, this App is nothing of the sort.  If you put your Twitter login credentials into this App, which you might easily think was sanctioned by Facebook, you’re handing them straight over to someone who will hijack your account. Whilst you are being taken to an App on apps.facebook.com the App sends you off to a fake Facebook page from which it can glean either your Twitter details and/or your Facebook details.

The Direct Messages, apparently from your contacts come in various forms, but typically refer to you appearing in a video or a picture.  Clearly as it’s untrue you know nothing of your “appearance” and are tempted to take a look. The Direct Messages are from your contacts but sadly that is only because they have fallen for the phishing trick and their account has been compromised.
A quick check on the Facebook discussion boards shows that this type of attack is rising rapidly.  The most recent I have detected, not satisfied with grabbing your credentials, takes you to a page that purports to require a “new YouTube player” to be downloaded.  It doesn’t long to realise that the URL at which you now sit has nothing to do with YouTube, Twitter or Facebook.  And, the download is unlikely to do very much in the way of playing videos.

The use of trusted brands to lead you to sites which will either steal your credentials or worse still download malware onto your machine, I one of the more insidious forms of social engineering.  We all have a tendency to trust, and we trust certain websites in particular.  However, you must be very careful that these names are not being misused to launch you to somewhere that is far from trustworthy.