Facebook phishing scams won’t seem to go away. Today a new scam appears to be spreading through people’s Facebook inboxes: areps.at. It’s another obscure URL and it’s just like all the other ones that have been spreading around the site. As soon as you login to the site, it will steal your email and password and then log you into Facebook. Within a short period of time the system will automatically switch your password and block you from the site.
It then goes on to send the same URL to all your friends. Whoever is behind the scam has been steadily amassing a large number of email addresses and passwords over the past few weeks. Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users.
It’s only a matter a time before similar scams pop-up and given that these appear to be identical to all the others, the scammers behind this dirty trick are most likely collecting hundreds of thousands if not millions of emails by now. Facebook has been in a full-fledged war with spammers and hackers and this is only the latest round of that battle. Over the coming weeks and months you can pretty much guarantee that we’ll see more of them.
While the most recent scams are not like the versions seen years ago on MySpace, there is clearly bad intent behind the scams. So far the majority of the scams do not result in actual viruses on a user’s computer but you can assume that these new scam “worms” will most likely result in something malicious at some point. Whatever the scammers are looking to accomplish, they have been extremely effective at defeating Facebook spam prevention system.
Update
I just received another email with a link to bests.at, another scam site. And another site now: kirgo.at. Another at nutpic.at.
![[Inside Social Apps 2012]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/ISA2012_336x100_F_RegisterNow.gif)
![[AllFacebook Stats: Facebook Analytics for Your Business]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/stpro_allfacebookstats.gif)
![[How can Facebook change your business?]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/FMB_A_MAY2011_336x100_F.gif)
I've seen this scam today for the site areps.at.
When you go to areps.at in IE it downloads (without any confirmation) a ker.exe file which goes in your C:Documents and SettingsLocal SettingsTemp directory.
It then runs this in a command prompt window, and then pops up a Close/Ignore box, and then (even if you clicked Close), installs 2 more exes. One is ld08.exe (found in c:windows and hidden), the other is random. I've seen pp10.exe and c.exe (both in C:windows and hidden).
It also runs these exes immediately (check your task manager) and puts them in your startup list (registry – HKLMSoftwareMicrosoftWindowsCurrentVersionRun).
I've found that if you end both exe processes in Task Manager, remove the registry entries, rename or delete the .exe file in C:WINDOWS, and remove ker.exe in the previously mentioned Temp directory, you should be fine.
Comment by Anthony J. Biacco — May 21, 2009 @ 8:14 am
Thank you for that information. I just got that mail too..and i have distribute your information to some of my friends ready..
hope they know about this before login on that web!
Comment by Paxton — May 21, 2009 @ 8:29 am
So no solution? Why would any of us feel safe on FB then?
Comment by Facebook User — May 21, 2009 @ 8:40 am
kirgo.at
Comment by anon — May 21, 2009 @ 8:42 am
I just got one directing me to (DO NOT click on this) "kirgo.at".
Comment by John Phillips — May 21, 2009 @ 8:44 am
So i didnt open this site, but I got the message. Also, it sent messages to my friends. I now cant log into facebook. it says my username and password are invalid! Is there a way I can get this back?
Comment by Alex — May 21, 2009 @ 8:48 am
Solution? Change the password before this thing does it for you?
Comment by Guy Shalev — May 21, 2009 @ 8:51 am
This could just as easily come through Yahoo mail, a google search suggested-link, outlook, the list goes on. It's not facebook's fault. It's a simple email message with a link in it. It's the areps.at website (which has nothing to do with facebook) that's doing the damage.
If you want to be safe, run anti-virus software, don't click on links in email messages that look 'off', use Firefox versus IE.
Comment by Anthony J. Biacco — May 21, 2009 @ 8:58 am
When I attempted to copy this article into an e-mail "response to all" (upon receipt of a bogus "areps.at" message), I get a Facebook pop-up which says that a user has reported some of this article's text as offensive. Find that user and you might find the source of this phishing scheme.
Comment by Mike V. — May 21, 2009 @ 8:59 am
I changed my login email and password as soon as I found out what it was, and so far I've stopped sending the link to the phishing site and I'm still logged in. Hopefully this works. Just putting out a possible solution. Good luck everyone.
Comment by Kristin — May 21, 2009 @ 9:05 am
The number ONE rule to always follow is don't click on any links someone send you via message or email unless you KNOW them, and even then ALWAYS pay attention to your address bar! They can fake the page but not always the URL.
Comment by rick valderrama — May 21, 2009 @ 9:17 am
Doesn't the risk extend to your email account as well???
If you enter your email address and password — and happen to be using the same password for both FB and email, as a lot of people do — this means the scammers now have access to your email account too. They can change your password there, and lock you out of that as well. If you were lame enough to be suckered by this scam in facebook, I suggest you change your email password immediately to protect yourself there.
Comment by Gwen — May 21, 2009 @ 9:33 am
just got a nutpic.at – it seems to be changing rapidly. I'd be so bold as to suggest that you shouldn't follow anything with an .at at the end, frankly.
Comment by Krystalle — May 21, 2009 @ 9:35 am
I received the same message with nutpic.at…
Comment by Facebook User — May 21, 2009 @ 9:45 am
Hmm…just got another one, "nutpic.at". (I recommend not clicking on this/going to this site either).
Comment by John Phillips — May 21, 2009 @ 9:46 am
Brunga.at is another one.
Comment by patrick — May 21, 2009 @ 10:04 am
i got the nutpic.at one. i googled it at the same time tho, and as soon as i saw it was dodgy, i changed my fb password straight away. i seem to be able to log on still, but ive received 2 such messages since from other friends.
Comment by yo yizzle — May 21, 2009 @ 10:05 am
I did click on the link – but got a Blocked Gateway page, suggesting that Facebook was already on to it, I hope…
Comment by Jane Carnall — May 21, 2009 @ 10:07 am
"As soon as you login to the site, it will steal your
email and password and then log you into Facebook."
As soon as you login into what site? Come on, man, help us out here. You have to follow the link for it to do steal your info, right?
Comment by jfish — May 21, 2009 @ 10:12 am
Thanks for the update. No reason to panic about Facebook though. Phishing is standard on all social networking sites and the Internet in general. People just need to train themselves to never click on just a link blindly, even if it does look like it's from a friend.
Comment by Bonnie — May 21, 2009 @ 10:13 am
All the sites bests, fcoder, nutpic . at are hosted on the same machine,
213.182.197.2
Some more over here.
http://anshprat.wordpress.com/2009/05/21/areps-at...
Comment by Anshu Prateek — May 21, 2009 @ 11:08 am
I clicked the link, seems as if nothing happend.. should I do anything else? Change ALL my passwords or only the facebook one? download some anti-worm thing or something?
Comment by ariel — May 21, 2009 @ 11:08 am
One more with “Check brunga.at”
Comment by Misha Kutuzov — May 21, 2009 @ 2:26 pm
All the sites just went down. Cold and out. Though its still pinging.
Comment by Anshu Prateek — May 21, 2009 @ 3:11 pm
My virus protection, “Avast” (free home version) caught the worm and wouldn’t let the site open on my computer. I guess I was lucky.
Comment by Blair — May 21, 2009 @ 3:32 pm
I got the brunga.at too, and cannot login.
Comment by Jan — May 21, 2009 @ 3:39 pm
If you’ve already clicked on the link I’m not sure but I have a suggestion: change your email passwords immediately,from another computer than the one you clicked on the link from. If you have a Virus, it might log your password change. Don’t use any applications especially email or anything that requires a password on your infected computer until you’ve eliminated the Virus. It may not be as drastic as all that but then again better safe than sorry.
Comment by mark — May 21, 2009 @ 5:44 pm
Mike V wrote:
“I get a Facebook pop-up which says that a user has reported some of this article’s text as offensive. Find that user and you might find the source of this phishing scheme.”
-
No, that would lead you to the first person who reported this to Facebook as being a phishing scheme. That user is the good guy. Why would the bad guy report his own message as being offensive.
rick valderrama wrote:
“The number ONE rule to always follow is don’t click on any links someone send you via message or email unless you KNOW them…”
-
Nope. I received mine from a known friend. I’m sure he didn’t send it, but unfortunately he may have clicked on the link and infected himself.
Comment by royalnonesuch — May 21, 2009 @ 5:58 pm
The idiot who keeps blaming IE is an idiot. This has nothing to do with the browser. Please learn before posting.
Comment by Shaun — May 21, 2009 @ 7:28 pm
Thanks, Anthony, for the info. I use AVG (paid edition) & side stepped this…thankfully. Also, the advice to not open if it’s coming from someone you don’t know isn’t quite accurate (no offense to the poster). Mine came from 2 different people I do know and completely trust as this is sending out automatically. One friend caught what was going on & posted to alert & is probably a mutual friend to the other so he would have seen her post. Also, I use Google Chrome. Some of the best advice is to not click on anything ending in .at.
Comment by Linda — May 21, 2009 @ 10:11 pm
The really scary thing is, for some people, seeing the .at address is a deterrent. What if they used a url shortener address instead (which people are used to clicking blindly and not re-scrutinizing the url). I’m sure clickthru rates would be much higher.
Comment by Jon — May 22, 2009 @ 12:15 am
It upsets me that people do stuff like this, do they not have anything else better to do with their time other than program spyware, virii and worms?
Comment by LCD CCTV Monitors — May 22, 2009 @ 8:39 am
I don’t know about everyone else, but whenever I get a short message from someone that is uncharacteristic, or whenever I get a message telling me to go to some site I’ve never heard of with NO prefacing, or explanation, I will immediately assume it is some sort of scam. You will always get these from your friends if your friends are clicking on them. That’s how they propagate: by sending themselves to every friend the person has. Instead, if it seems fishy (any URL-shortening website is fishy, and any website ending with something nonstandard is fishy) don’t click the link! Even if the link seems okay, like it connects allegedly to facebook or something, hover over it with your cursor to see where it directs you. It’s VERY easy to say “click this link” and make it look like it goes somewhere else. For instance, this little bit of code looks like it goes to youtube.com but instead goes to google.com. And I’m not even an insidious hacker or anything. youtube.com
Comment by Robert — May 22, 2009 @ 11:37 am
Firstly, I want to reiterate the question posted by jfish above – Do you have to actually login (as in enter your username and password into a text box) to the evil website linked to in the dodgy message in order for it to hack your FB account? Or can the malicious code described by the first comment obtain your password from a cookie or something without your help?
Secondly, about this article being reported as offensive – it’s *this* article – not the spam email – that’s been reported as offensive. It would make sense for the evil guy to report it as offensive to stop people finding out about the nature of his evil doings. If it’s actually just the *.at addresses that have been reported as offensive and Facebook is banning this page because it contains certain words then that’s a bit dubious. If I report the word Microsoft as offensive does that mean they will block any page with that word in too?
Thirdly, if the first comment is correct about IE downloading and running .exe files without asking the user if they really want to do that, then that is a massive security flaw in IE. No browser should do that. Ever. Even if the user has set their security preferences to the lowest setting.
Comment by Adrian — May 22, 2009 @ 12:20 pm
It modifies your hosts file too I think. I found 3 redirecting entries in c:\windows\system32\drivers\etc\hosts file. take them out as well if they are there. not 100% sure if it was this virus that caused it.
Comment by Ed — May 22, 2009 @ 2:24 pm
Look out for this one too: dynasale.be
Comment by wordord — May 23, 2009 @ 3:10 am
Why don't you guys email your friends asking them to start any email with a certain phrase or a piece of information that can't be put into the email by an automated system? Then you don't even need to open the bad mail, because (on FB at least) you see the first bit of an email without opening it.
Comment by Hannah — May 23, 2009 @ 12:22 pm
I opened the mail and replied to it. The url was hidden in the upper of the thread and so I replied to the group, that's all i did.
I had to reset my password at login point and have it resent as was locked out of my facebook account shortly afterwards.
Most of the press describes what happens after opening the URL but there are obvious virus problems that exists with the email that contains the URL sent to the targets friend lists.
Suggest you delete message with any sent items, change your password immediately, then follow the instructions on facebooks security page.
Comment by Dede — May 23, 2009 @ 5:37 pm
Is this a PC/Windows specific problem, or are macs (OS X) affected too?
Comment by Rsk — May 24, 2009 @ 11:58 am
The most recent scam is not ending in "at" but the letters "be". Is this the same scam or something entirely different?
Comment by Don — May 25, 2009 @ 2:03 am
You may try WOT and NoScript extensions for firefox as a safeguard. They can handle any malicious sites and scripts to some extent, and always warn you even before entering the scammers. I hope they can handle those scammers as well.
I am not addicted to facebook. I hardly log into my account in the last half a year, probably one or twice. So I think I am even safe
Comment by gaus surahman — July 20, 2009 @ 3:06 am
I?ve really enjoyed reading your articles. You obviously know what you are talking about! Your site is so easy to navigate too, I?ve bookmarked it in my favourites.
Comment by Adam B. Payne — December 18, 2009 @ 9:53 pm
hi
The problem is that to report scams to Facebook you have to log in. I'm sorry but thats the least thing I want to do at this time.
Comment by mike — January 23, 2010 @ 8:36 pm
how can i remove phising from my faceboook account
Comment by amanda — August 22, 2010 @ 1:05 pm