We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.
Here’s a typical message:
hello have you seen this recent video on the president? What is he doing in it?! LOL
or
What's the president doing in this video. OMG LOL!
Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.
And what sort of name is hzjqorbbmdnf anyway?
Regardless of the dodgy-looking nature of the link – what happens if you click on it?
Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.
Here’s the fake login page:
And here’s Facebook’s genuine login page:
Did you spot all the differences?
Here’s the ones I found – well done if you spotted even more!
Starting at the very top –
1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.
2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.
3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.
4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.
5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.
There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.
If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.
Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.
