Wednesday, June 27, 2012

People Are Still Falling For This Crap?!

I saw a comment on a photo on Facebook that read something like "I saw you in this photo your buddy showed me. (link to what looks like a Facebook webpage) That's pretty jacked up, lol. Did you see it yet?" When you click the link, you're presented with the Facebook log-in page. Okay, you think, no big deal. I'll just enter my username and password, and I'll be logged back in and looking at this 'jacked up' picture in no time!


People are still falling for this crap?



Wait a minute, you didn't actually log out, did you? Well, no matter, you say to yourself. Sometimes that just happens. Okay, take a closer look at that link. It doesn't really look right, does it?


I'm going to put an actual link to a Facebook BUT FOR THE LOVE OF GOD, DO NOT GO TO THE WEBSITE! AND IF YOU DO, DON'T ENTER ANY LOG IN INFORMATION!






Look at that link. The facebook.com part look normal enough, but what's that at the end? justsomefuns.com... Well, it turns out that when you clicked that link, you were taken to a website called http://justsomejuns.com. The facebook.com part is a sub-domain of justsomefuns.com.


So what is this justsomefuns.com bologna? Well, if you don't know, you certainly don't want to give them your username and password to the world's most prolific social-network, do you?


It turns out that, at the very least, justsomefuns takes your log-in credentials, and then *gasp* logs in to your account, and makes status updates and comments that contain links to - you guessed it - justsomefuns.com, thus continuing the cycle.


That is, I guess, somewhat benign, but what else can they do with those login credentials? Well for starters, they can sell it. Or, since you were already stupid enough to hand over your log-in info to them, you'll probably fall for some other tricks. They'll convince you that you're allowing some app access to your account (like Farmville or something) or maybe (and this is a bit of a throwback to the 90's) installing a codec or driver to watch a video of a celebrity semi-nude dancing on a table at Starbucks; when in reality, you're voluntarily installing a rootkit that will give them access to your computer. So, whatever is stored on your computer, they can now access. Think embarrassing files and log-in credentials to your bank or credit cards.


Hello virus, goodbye money.


Taking a look at the attack vector website.


It looks a lot like Facebook.com, doesn't it? 

A cursory glance at the source code reveals some tell-tale signs that this is a duplicate website.


What?


Okay, sorry if that was too technical. Right-click somewhere on the page, and select view page source. (It may be different in different browsers, but if you see an option that says "source", it's probably the one you need to click on)


Here's what I found:




See that red arrow?




It says that this webpage was saved from Facebook's log-in page. If it was saved from the log-in page, then logically, it cannot be the log-in page. Think of it this way: If you make a copy of a key, you are copying the original key, or copying a copy of the original key, but the copy has to come from somewhere. The original key is not a copy. So, by this same line of reasoning, if what you're looking at is a copy, or "saved from" the original, or a copy of the original, or, anything, for that matter, then it is not the original!


How about a less technical way to verify that you're logging into Facebook? Okay, well, if you're logged-in to Facebook, browsing around, making comments, looking at pictures of cats, and telling Chuck Norris jokes, and then, out of nowhere, you're asked to log in again, DON'T!


Instead, do the following:  In the very same window (or tab) that is displaying the log-in screen, type in this address: https://www.facebook.com/ That is Facebook's secure log-in page. You can dissect the URL if you want some reassurance. https stands for hyper-text transfer protocal - secure. That's the de facto protocol for delivering secure content on the internet. The :// denotes that the text to the left indicates what protocol is being used. www stands for World Wide Web, and in many cases is superflous, but type it in to be 100% sure you get to Facebook. facebook is the domain name for Facebook, and .com is the top-level domain in facebook.com. There's nothing extra in there.


Now that you've logged-in to the real Facebook, hit the back button until you find the page that wanted you to log in again, and refresh (press the F5 key) the page. If, after refreshing, it still wants you to log-in, chances are it's not really Facebook at all!


Epilogue

So what about this justsomefuns website? I did a little snooping, and I found that it is a webpage hosted by Russian internet service provider CityTelecom.ru which claims to have "Serious solutions for serious people." (citytelecom.ru). Now I'm sure our friends over at CityTelecom.ru have nothing to do with the scam, but we know that Facebook is not based in Mother Russia, nor does it use CityTelecom.ru to connect its massive server farms to the glorious intertubes.