40 Comments »
Facebook phishing scams won’t seem to go away. Today a new scam appears to be spreading through people’s Facebook inboxes: areps.at. It’s another obscure URL and it’s just like all the other ones that have been spreading around the site. As soon as you login to the site, it will steal your email and password and then log you into Facebook. Within a short period of time the system will automatically switch your password and block you from the site.
It then goes on to send the same URL to all your friends. Whoever is behind the scam has been steadily amassing a large number of email addresses and passwords over the past few weeks. Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users.
It’s only a matter a time before similar scams pop-up and given that these appear to be identical to all the others, the scammers behind this dirty trick are most likely collecting hundreds of thousands if not millions of emails by now. Facebook has been in a full-fledged war with spammers and hackers and this is only the latest round of that battle. Over the coming weeks and months you can pretty much guarantee that we’ll see more of them.
While the most recent scams are not like the versions seen years ago on MySpace, there is clearly bad intent behind the scams. So far the majority of the scams do not result in actual viruses on a user’s computer but you can assume that these new scam “worms” will most likely result in something malicious at some point. Whatever the scammers are looking to accomplish, they have been extremely effective at defeating Facebook spam prevention system.
Update
I just received another email with a link to bests.at, another scam site. And another site now: kirgo.at. Another at nutpic.at.
I’ve seen this scam today for the site areps.at.
When you go to areps.at in IE it downloads (without any confirmation) a ker.exe file which goes in your C:\Documents and Settings\\Local Settings\Temp directory.
It then runs this in a command prompt window, and then pops up a Close/Ignore box, and then (even if you clicked Close), installs 2 more exes. One is ld08.exe (found in c:\windows and hidden), the other is random. I’ve seen pp10.exe and c.exe (both in C:\windows and hidden).
It also runs these exes immediately (check your task manager) and puts them in your startup list (registry - HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
I’ve found that if you end both exe processes in Task Manager, remove the registry entries, rename or delete the .exe file in C:\WINDOWS, and remove ker.exe in the previously mentioned Temp directory, you should be fine.
Thank you for that information. I just got that mail too..and i have distribute your information to some of my friends ready..
hope they know about this before login on that web!
So no solution? Why would any of us feel safe on FB then?
kirgo.at
I just got one directing me to (DO NOT click on this) “kirgo.at”.
So i didnt open this site, but I got the message. Also, it sent messages to my friends. I now cant log into facebook. it says my username and password are invalid! Is there a way I can get this back?
Solution? Change the password before this thing does it for you?
This could just as easily come through Yahoo mail, a google search suggested-link, outlook, the list goes on. It’s not facebook’s fault. It’s a simple email message with a link in it. It’s the areps.at website (which has nothing to do with facebook) that’s doing the damage.
If you want to be safe, run anti-virus software, don’t click on links in email messages that look ‘off’, use Firefox versus IE.
When I attempted to copy this article into an e-mail “response to all” (upon receipt of a bogus “areps.at” message), I get a Facebook pop-up which says that a user has reported some of this article’s text as offensive. Find that user and you might find the source of this phishing scheme.
I changed my login email and password as soon as I found out what it was, and so far I’ve stopped sending the link to the phishing site and I’m still logged in. Hopefully this works. Just putting out a possible solution. Good luck everyone.
The number ONE rule to always follow is don’t click on any links someone send you via message or email unless you KNOW them, and even then ALWAYS pay attention to your address bar! They can fake the page but not always the URL.
Doesn’t the risk extend to your email account as well???
If you enter your email address and password — and happen to be using the same password for both FB and email, as a lot of people do — this means the scammers now have access to your email account too. They can change your password there, and lock you out of that as well. If you were lame enough to be suckered by this scam in facebook, I suggest you change your email password immediately to protect yourself there.
just got a nutpic.at - it seems to be changing rapidly. I’d be so bold as to suggest that you shouldn’t follow anything with an .at at the end, frankly.
I received the same message with nutpic.at…
Hmm…just got another one, “nutpic.at”. (I recommend not clicking on this/going to this site either).
Brunga.at is another one.
i got the nutpic.at one. i googled it at the same time tho, and as soon as i saw it was dodgy, i changed my fb password straight away. i seem to be able to log on still, but ive received 2 such messages since from other friends.
I did click on the link - but got a Blocked Gateway page, suggesting that Facebook was already on to it, I hope…
“As soon as you login to the site, it will steal your
email and password and then log you into Facebook.”
As soon as you login into what site? Come on, man, help us out here. You have to follow the link for it to do steal your info, right?
Thanks for the update. No reason to panic about Facebook though. Phishing is standard on all social networking sites and the Internet in general. People just need to train themselves to never click on just a link blindly, even if it does look like it’s from a friend.
One more with “Check brunga.at”
All the sites bests, fcoder, nutpic . at are hosted on the same machine,
213.182.197.2
Some more over here.
http://anshprat.wordpress.com/2009/05/21/areps-at-kirgo-at-phishing-attacks-on-facebook/
I clicked the link, seems as if nothing happend.. should I do anything else? Change ALL my passwords or only the facebook one? download some anti-worm thing or something?
All the sites just went down. Cold and out. Though its still pinging.
My virus protection, “Avast” (free home version) caught the worm and wouldn’t let the site open on my computer. I guess I was lucky.
I got the brunga.at too, and cannot login.
If you’ve already clicked on the link I’m not sure but I have a suggestion: change your email passwords immediately,from another computer than the one you clicked on the link from. If you have a Virus, it might log your password change. Don’t use any applications especially email or anything that requires a password on your infected computer until you’ve eliminated the Virus. It may not be as drastic as all that but then again better safe than sorry.
Mike V wrote:
“I get a Facebook pop-up which says that a user has reported some of this article’s text as offensive. Find that user and you might find the source of this phishing scheme.”
-
No, that would lead you to the first person who reported this to Facebook as being a phishing scheme. That user is the good guy. Why would the bad guy report his own message as being offensive.
rick valderrama wrote:
“The number ONE rule to always follow is don’t click on any links someone send you via message or email unless you KNOW them…”
-
Nope. I received mine from a known friend. I’m sure he didn’t send it, but unfortunately he may have clicked on the link and infected himself.
The idiot who keeps blaming IE is an idiot. This has nothing to do with the browser. Please learn before posting.
Thanks, Anthony, for the info. I use AVG (paid edition) & side stepped this…thankfully. Also, the advice to not open if it’s coming from someone you don’t know isn’t quite accurate (no offense to the poster). Mine came from 2 different people I do know and completely trust as this is sending out automatically. One friend caught what was going on & posted to alert & is probably a mutual friend to the other so he would have seen her post. Also, I use Google Chrome. Some of the best advice is to not click on anything ending in .at.
The really scary thing is, for some people, seeing the .at address is a deterrent. What if they used a url shortener address instead (which people are used to clicking blindly and not re-scrutinizing the url). I’m sure clickthru rates would be much higher.
I don’t know about everyone else, but whenever I get a short message from someone that is uncharacteristic, or whenever I get a message telling me to go to some site I’ve never heard of with NO prefacing, or explanation, I will immediately assume it is some sort of scam. You will always get these from your friends if your friends are clicking on them. That’s how they propagate: by sending themselves to every friend the person has. Instead, if it seems fishy (any URL-shortening website is fishy, and any website ending with something nonstandard is fishy) don’t click the link! Even if the link seems okay, like it connects allegedly to facebook or something, hover over it with your cursor to see where it directs you. It’s VERY easy to say “click this link” and make it look like it goes somewhere else. For instance, this little bit of code looks like it goes to youtube.com but instead goes to google.com. And I’m not even an insidious hacker or anything. youtube.com
Firstly, I want to reiterate the question posted by jfish above - Do you have to actually login (as in enter your username and password into a text box) to the evil website linked to in the dodgy message in order for it to hack your FB account? Or can the malicious code described by the first comment obtain your password from a cookie or something without your help?
Secondly, about this article being reported as offensive - it’s *this* article - not the spam email - that’s been reported as offensive. It would make sense for the evil guy to report it as offensive to stop people finding out about the nature of his evil doings. If it’s actually just the *.at addresses that have been reported as offensive and Facebook is banning this page because it contains certain words then that’s a bit dubious. If I report the word Microsoft as offensive does that mean they will block any page with that word in too?
Thirdly, if the first comment is correct about IE downloading and running .exe files without asking the user if they really want to do that, then that is a massive security flaw in IE. No browser should do that. Ever. Even if the user has set their security preferences to the lowest setting.
It upsets me that people do stuff like this, do they not have anything else better to do with their time other than program spyware, virii and worms?
It modifies your hosts file too I think. I found 3 redirecting entries in c:\windows\system32\drivers\etc\hosts file. take them out as well if they are there. not 100% sure if it was this virus that caused it.
Look out for this one too: dynasale.be
Why don’t you guys email your friends asking them to start any email with a certain phrase or a piece of information that can’t be put into the email by an automated system? Then you don’t even need to open the bad mail, because (on FB at least) you see the first bit of an email without opening it.
Is this a PC/Windows specific problem, or are macs (OS X) affected too?
The most recent scam is not ending in “at” but the letters “be”. Is this the same scam or something entirely different?
You may try WOT and NoScript extensions for firefox as a safeguard. They can handle any malicious sites and scripts to some extent, and always warn you even before entering the scammers. I hope they can handle those scammers as well.
I am not addicted to facebook. I hardly log into my account in the last half a year, probably one or twice. So I think I am even safe