While scouting the Web for the latest Facebook security issues, I’ve stumbled upon a new Facebook login page, as shown in the below pictures. In fact, it is not surprising that the fake Facebook site still exist as cybercriminals are using it as a phishing attack to steal the users’ login password.

Picture 1:

Normally I won’t show the actual phishing site’s URL name, but hey, it’s far too important to login to your Facebook account by using the real URL, i.e. https://www.facebook.com, not just the similar design as appeared on your browser.

Picture 2:

If you try going to the phishing site mentioned in the above, your Facebook login credentials will be sent to the remote server, i.e. logs.php via HTTP POST, as shown in the below picture. After all, your login details will be saved to their log file for them to use.

However, after you login this fake Facebook account, it will redirect you to a user page of YouTube account called xToxicEclipse’s Channel, which seems to be legitimate.

In addition, the domain name of this fake Facebook page was registered in a Web hosting company in Indonesia called Dijaminmurah.com on September 11 this year…

So be careful if you come across any URL link to this fake Facebook site on your profile’s Wall.

Scammers never give up, although various sorts of phishing scams have been blocked by Facebook. It seemed that the more serious one appears to be the fake email with the malicious “updatetool.exe attachment”, as reported by Webroot, an established security experts on the Web.

This fake email is pretends to be from the Facebook administrators. If the victim chooses to go further, he or she will end up at a spoof Facebook login page which prompts users to reveal his / her Facebook password as well as download the file attachment. The message in the fake email itself claimed that the user’s Facebook profile password was reset. In order to retrieve the password, a user need to download and open the attachment. In fact, the file attachment, i.e. “updatetool.exe” is actually the Zeus trojan, a trojan from the Bredolab family.

If you come across similar email in your inbox, straight away delete the fake email. Never fill in secret information on suspicious sites, other than the Facebook homepage, i.e. https:www.facebook.com and avoid downloading the file attachment shown in below.

There is a new wave of phishing scams that targeted Facebook users for the past few days and probably you’ve heard of this. It started with the phishing sites that registered under .at (Austria) and later the .be (Belgium) domain names. For this purpose, I’ve compiled a list of these phishing sites, and whenever you came across it in your Facebook email messages, do not click on the URL links.

A common trick is that all of these phishing scams start from a Facebook message with an aim to trick Facebook users to click on the URL links. In order to lure users to click on these links, all the subject line of the emails is either “Look at This”, “Hello” or “Check” following by one of the .at or .be domain names listed below.

This wave of phishing scams garnered much attention in Facebook since there are users who fail for the scam, lost their Facebook login details as well as the new cycle continues as the cybercriminals started using their accounts to send emails to their friends.

Picture: Phishing site; noticed that there is no Facebook logo in the header of the site

WARNING: DO NOT click links to the following sites:

Areps.at
Bests.at
Brunga.at
Kirgo.at
Nutpick.at

Atomclub.be
Bestspace.be
Bitclan.be
Databus.be
Dynasale.be
Goldbase.be
Greenbuddy.be
Indigoline.be
Linkteria.be
Mymarket.be
Orangefan.be
Picoband.be
Pinkamigo.be
Redbuddy.be
Redfriend.be
Silvertag.be
Sweeter.be
Vispace.be
Whiteflash.be
Whitemart.be

Nevertheless, the good news is that Facebook has taken action and blocked all of the outgoing links to the aforementioned phishing sites, while Firefox browser has also blocked its users from accessing to the above sites as well.