14 DAY TRIAL // Cybercriminals are using a clever trick to attract Facebook users to a phishing website. The attack starts with a Facebook post that attempts to lure users to a Tumblr site.
The message identified by ISC reads something like this: “2 days ago 2 guys tried to steal my brother’s car. Does anyone know them? Here are the pics [link to Tumblr site].” This is just one example, other variants have been spotted as well.
The Tumblr links can also differ from one post to another. However, experts say the name of the page is always two or three random English words. At the end of the URL, the phishers have added a few random characters.
When victims click on the links, they’re redirected to a well-designed Facebook phishing page. Here, they’re instructed to log in with their username and password, and hand over their secret question and its answer.
The phishing site is hosted on a .pw domain. However, to increase their chances of success, the attackers have created several subdomains. To the more inexperienced users, it might look as if they’re on facebook.com, when they’re actually on a domain like facebook.com.noxxps.pw.
The attack doesn’t end after the user’s credentials have been phished. The victim is taken to a bogus YouTube page where he/she is asked to download a Flash Player update in order to watch a video.
This particular website was analyzed by researchers from Malwarebytes earlier this week. The Flash Player actually hides a Bitcoin mining malware.
In case you come across posts such as the one described above on Facebook, don’t click on the links. If you’ve just realized that you are a victim of this scam, change your Facebook password (and all other passwords if you’ve been using the same one) immediately.