14 DAY TRIAL // A new scam circulating on Facebook is tricking users into disclosing their email credentials by falsely claiming they won a special gift from Zynga. Facebook's attempt to block the offending page has partially failed.
Christopher Boyd, a security researcher from antivirus vendor Sunbelt Software, warns that some Facebook users might end up on a page claiming that they've won a large sum of money as part of a Zynga campaign. Zynga is a company developing some of the top Facebook applications, including FarmVille, the most popular game on the social networking platform.
The rogue page masquerades a legit private basic information access request from a legit application called Texas HoldEm Poker. A window modal reading "Welcome to Winner's Circle. You just won $200,000,000 from Zynga Special Gifts" pops up and is brought into focus via a dimming effect applied to the original page.
The pop-up can be very convincing, especially to the large number of users who play Zygna's games, where announcements and alerts are displayed in a similar fashion. Clicking on a big checkmark button, for claiming the prize, changes the content of the window with a form asking for the email address, password, password and a code.
"Please complete your account data. As proof you are the legitimate Winners!," attached instructions read. "I’ve no idea what the Code is all about, but entering your data into the box and hitting the 'Claim Gifts' button sends your login to the phisher," the Sunbelt security researcher, notes.
It seems that Facebook already detected this scam and tries to warn users about it, but only with limited success. Accessing the original page now should present users with a password reset form, which reads "The website that directed you here was not a Facebook page. If you entered your Facebook information on the previous site, you will need to reset your password."
As Christopher Boyd points out the window with the prize claim still pops up, partially covering Facebook's warning. This means that users will see the instructions to change their password only after they've already been phished, and only if they pay enough attention.
You can follow the editor on Twitter @lconstantin
UPDATE: Corrected an error where Mr. Christopher Boyd was unintentionally presented as a security researcher at Sophos instead of Sunbelt Software.
