Facebook Slammed by Dual Phishing, Malware Scam

Facebook is exceptionally popular, and with all of that fame comes plenty of trouble.

Scams are hardly new to the social networking site, and now it Facebook faces one of its most serious yet: a phishing routine that threatens to infect user computers with malware.

The scam, which started nailing Facebook users yesterday, goes something like this: a member receives a message from a friend packing a link, usually with the subject line "Hello" or "areps.at" or other addresses ending with ".at". Those who click on that link will be sent to a website asking for their login information, which is then stolen by the culprits. (Source: go.com)

Drive-by Download

However, what makes this particular scheme even worse than the average phishing scam is the fact that it also secretly uploads malware onto an unsuspecting user's computer. This kind of attack is well known by security experts, who call it a "drive-by download."

The URLs, or addresses, were pretty convincing before Facebook blocked them. According to reports, they resembled other Facebook pages, making it likely that users would go ahead and enter their email addresses (or login) and password, the usual process for logging on to Facebook.

However, this nasty scam actually steals the user's information, changes their password, and then sends the same "Hello" or ".at" malware-laden message to each of that user's friends.

Get Koobface on Facebook

The malicious web sites are, according to sources, capable of infecting computers with either the Koobface worm or Trojan.BHO.

Although this is just one in a series of similar attacks, Facebook is not convinced the problem should prevent users from visiting the site.

"The impact of this attack or the previous ones are not widespread and only impacted a tiny fraction of a percent of users. We've been updating our monitoring systems with information gleaned from the previous attacks so that each new attack is detected more quickly," said company spokesman Barry Schnitt. (Source: cnet.com)

In other words, users have become guinea pigs in Facebook's effort to learn phishing strategies and prevent future attacks. This is hardly comforting words for Facebook fans.