Phishers’ Fake Security App for Facebook

Contributor: Avdhoot Patil

Fake social media applications in phishing sites are not uncommon. Phishers continue to devise new fake apps for the purpose of harvesting confidential information. In December 2012, a phishing site (spoofing Facebook) claimed to have an application to secure Facebook accounts from being hacked. The phishing site was hosted on a free Web-hosting site.

The phishing site required users to enter their Facebook login credentials to gain access to the fake security app. In addition to their Facebook login credentials, users must enter a confirmation code generated by clicking a button. Phishers likely believe asking users to enter a confirmation code and stating that it is certified while displaying a fake Facebook stock certificate will make this fake app page seem more authentic. Still, it is hard to understand how a sample stock certificate has any relevance to security on Facebook.
 

Figure 1. Fake app requests user login credentials with Facebook stock certificate
 

Even though these tricks may add some air of authentication to this phishing page, the phishers still do a poor design job: the confirmation code generated here, for instance, is always “7710” for any number of attempts.
 

Figure 2. Fake app requests 7710 confirmation code
 

After the user enters the code, the phishing site confirms the request to access the app with the message "Thank you For using this Service" and further claims "Your Facebook account will be secure in 24 hours time".
 

Figure 3. Fake app confirms installation
 

Of course, the 24 hour wait mentioned is just a time-buying strategy to avoid any early user suspicion. If users got this far and fell victim to the phishing site, phishers would have successfully stolen their information for identity theft.

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security 2012) frequently
  • Report fake websites and email (for Facebook, send phishing complaints to [email protected])