The Latest in IT Security

Admiral James Stavridis is under the spotlight of the social media stage since an anonymous phishing attack was launched on Facebook a few days ago using a fake version of his profile. It seems this is a good time to meet this commander (at least on-line), hence we did a simple study on his official Facebook page at: http://www.facebook.com/james.stavridis?sk=info

After logging in and searching for his name, we landed on his main page. A stylish military profile picture and many posts about his recent comments and visits. Everything seems very legit until we saw an app suggestion with an empty icon on the top right.

(click for larger image)

We click the promoted app to see what’s going on. The link brought us to an blank Facebook app page and then quickly redirected us to a non-Facebook url with a copycat Facebook login portal page. A Facebook account phishing website!!!

(click for larger image)

The phishing url is bed.funnypictureland.com, and whois check shows it was registered in CA on Feb 17, 2012. We found at least two phishing apps for this case:

[http]://apps.facebook.com/173881296059145/?ref=games_ego

[http]://apps.facebook.com/238028826286401/?ref=games_ego

This is a very popular trick to steal a user’s account, and has been rampant for some time. We are not sure what exactly these hackers will do with stolen accounts, but one possibility might be posting spamming comments or phishing app on their friends’ walls and photos. The victims will not notice their spamming behaviors until their friends tell them. See this example for an victim.

(click for larger image)

One important thing to clarify, this app promotion by Facebook may not be related to the page content that a user landed (Admiral Stavridis sure has nothing do to with this app), but based on the installed applications of the viewer. Our testing account did visit several “noisy” and “spreading” apps that show lots of ads on their app home pages, like http://apps.facebook.com/myquizz-lwgdvkthql , http://apps.facebook.com/bestieeev-sfcjrnzkcd. Many of these apps are created by “app auto-creating” apps which all have an easy 3-clickable-steps to create new apps.

It seems that Facebook allows an app or a Facebook page to automatically redirect to non-Facebook urls without any restrictions. On the bright side, other regular websites receive benefits from Facebook traffic; while the dark side is: social users live in Facebook walled garden for so long, and they simply trust everything that Facebook redirects to, leading to much higher chances to be tricked by spamming apps and pages.

Updates (03/15/2012 13:28 EST): Admiral James Stavridis’s Facebook page has just changed to timeline, so you might not be able to see app promotion on the side. But the two phishing apps are still available.

by Jason Ding, Research Scientist