Network News

X My Profile
View More Activity

Facebook Among Top Phished Web Sites

A colleague today called my attention to a phishing scam targeting Facebook users that is apparently getting some digital ink from Twitter users and various blogs. I figured this was as good a time as any to note that Facebook is and has been for some time one of the brands most frequently targeted by scam artists, right up there with some of the world's largest banks.


According to, a community-based site that tracks phishing Web sites, was the seventh most-phished brand in March -- even ahead of the Internal Revenue Service, and that was during tax month! In fact, Phishtank found at least 104 phishing Web sites targeting Facebook users, or an average of three different Facebook phishing campaigns each day.

Why on Earth would cyber crooks want to hijack your Facebook profile? Why, to trick your friends into visiting sites that try to download malicious software, of course.

One the most common ways people get phished is by clicking on a link that takes them to a page that mimics the login page. Users can avoid this by clicking on a bookmark for the login page, or by typing into a browser window.


If you want to take advantage of a neat security feature built into, add an "s" to the usual URL you use, so that it reads "". By visiting this link, you should notice that the address bar turns from the usual white to green. This indicates that the site you are visiting has obtained extended validation or EV certificate.

EV certs are a technology for helping consumers verify the legitimacy of commercial Web sites. They cost quite a bit of money to obtain, and require the requesting entity to go through an extensive investigation to prove they have the rights to a given Web site name.

Note to Facebook: If you want to reduce the number of your users who fall for these phishing scams, educate users to log in at, and to look for the green address bar.

By Brian Krebs  |  April 29, 2009; 5:55 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings  | Tags: ev certs, facebook, phishing, phishtank  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Spam From Hijacked Webmail Accounts
Next: Microsoft Pushing Out IE8 Through Auto Update


Even better than instructing users to use https:, they should instead immediately redirect users to https: when they arrive.

Posted by: Annorax | April 29, 2009 8:22 PM | Report abuse

@annorax -- I did find when I examined their login process that Facebook does what Hotmail and other major sites do, which is it appears to accept your username and password in plain text, but it actually encrypts the session before it sends the data to Facebook's servers. After the user is logged in, he/she is placed back into an unencrypted, http session.

I wonder if Facebook will ever offer users the option to remain in an https:// session if they choose to do that, as Google has done with Gmail. I suspect they will, eventually.

Posted by: BTKrebs | April 29, 2009 8:44 PM | Report abuse

Facebook apps are the biggest security hole; is also not covered by their EV cert.

Posted by: MaxH | April 30, 2009 9:37 AM | Report abuse

I just received a notice from an apparent phished account that directed me to a particular web site (I'll send it to you directly Brian).

Posted by: Annorax | April 30, 2009 11:03 AM | Report abuse

It's interesting that among the major banks, I find only one (BOA) that uses EV certificates.

Posted by: moike | April 30, 2009 1:28 PM | Report abuse

This a comment I received from a reader named Rueven:

This was exactly my experience. Another cleanup need I discovered was that my Yahoo email out-of-office function had been activated and the shopping advertisement was automatically going out to anyone who sent emial to my account.

Thank you very much for your column on this problem. In addition to the problem itself, there is a typhoid-Mary kind of stigma associated with being the unwitting source of spam, particularly when it goes out to people who don't know you well. They see you as IT-unhygenic or, worse, trying to sell them something. Your column helps clarify that even people with good security and antivirus programs can be victimized in this way.

Posted by: BTKrebs | April 30, 2009 2:43 PM | Report abuse

It's interesting to see the transition of phishing schemes from more of a email based attack, to what we're seeing today with Web based social networking exploits.

We just released on report on Web site categories often exploited by phishing and malware on our security blog section (, and notice how social networking is slowly creeping up the ladder on the phishing chart. It's probably only a matter of time before we see social networking as a mainstay on the malware chart as well.

I agree with the comment above that Facebook themselves should do more to both educate users, and to regulate the content posted on their site.

Posted by: CP3O | April 30, 2009 3:15 PM | Report abuse

I got hit by one of these today. The lesson learned is I'm not going to click on any applications or links from facebook anymore.

Posted by: ideallydc | April 30, 2009 3:33 PM | Report abuse

The only problem with your advice about changing Facebook's URL to https is that the second I login it reverts to unencrypted http.
Obviously Facebook accepts encrypted logins but not an encrypted online session.

Posted by: Ozexpatriate | April 30, 2009 7:46 PM | Report abuse

@Ozex -- Yes, pity they don't keep you signed in on https with the EV cert displaying after you are signed in. That would be much more secure, you are right.

However, my advice in the column still stands: "Users can avoid this by clicking on a bookmark for the login page, or by typing into a browser window." Follow that advice and you want fall for these phishing scams.

Posted by: BTKrebs | May 1, 2009 12:05 AM | Report abuse

The best way to get these sites to police their content is to stop using them. If usership drops off (following a contact with them demanding they clean this crap out) it will be noticed. No users no ad viewing etc. No ad viewing no income. No income gets the point across a second time. People get the message to these sites. They can search their content for key words and stop these bas****s in their tracks.

Posted by: VaGent1 | May 1, 2009 2:12 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company