14 DAY TRIAL // A new phishing attack is tricking Facebook users into exposing their login credentials by encouraging them to sign for a new @facebook.com email account.
Last November the social networking site announced a new messaging platform that merges email, SMS and Chat into a single "social inbox."
The new feature is being rolled out in stages and users are expected to receive @facebook.com email addresses.
When the time comes people will be asked to choose their username if they don't already have one associated with their account, in which case that one will be automatically used.
However, scammers are trying take advantage of some of the confussion surrounding this new feature and scare users that their desired name will be taken by someone else.
Security researchers from M86 Security warn that there are spam messages circulating around that read "Just applied for my own @facebook.com email account. Get one before someone takes your name [link]"
The links take users to rogue Facebook app pages that display login forms, suggesting that they need to re-authenticate. This is well designed scam where phishers have put in extra effort to avoid raising suspicion.
Therefore, users who end up inputting their login information will get to see a page that really asks them for their desired @facebook.com email address and after they provide it, they are taken to a congratulations page.
The M86 experts point out that all these pages are hosted on compromised legit websites. Phishers prefer these because they are harder to take down and can be used for longer periods of times.
Users are advised that Facebook can alert them via email and SMS if someone logins to their account from a new computer or device. This option can be enabled from Account > Account Settings > Account Security and can serve as a good indication that an account has been compromised.