Facebook Redirect Phishing

Two of my friends inadvertently gave away their passwords to a Facebook password phishing site yesterday. If you don’t know what phishing is, see the Wikipedia article.

Hypothesis: The way Facebook formats its links in e-mails actually makes it easier for phishing sites to trick some users into giving their info.

Phishing websites work by creating mirror images of other websites and tricking you into logging in to them with your account info from the other site. So let’s pretend I owned notfacebook.com. I could trick people into giving me their Facebook password by sending them to http://notfacebook.com/login.php, a page that looks exactly like the actual Facebook login page, except when you entered in your password, you would be sending it not to Facebook, but to me.

Now a lot of web users are getting savvy enough to detect these fake websites — it’s pretty obvious that any link that starts with http://notfacebook.com is fake. But what if you share that link on Facebook itself?

When you share a link on Facebook with someone, if that person’s privacy settings allow it, Facebook sends an e-mail describing said link. In the e-mail however, Facebook does not share the actual canonical link with you. It instead gives you a link which goes to a Facebook page that then redirects you to the actual link. For example, if I were to share the link for AndrewFong.com with you, Facebook actually sends you this URL: http://www.facebook.com/l/55dd3;AndrewFong.com (one reason Facebook does this is stat tracking — e.g. how many people actually click a link their friends send them).

The problem is that this creates the impression that third-party websites are actually pages on Facebook. If you click on the link above, it’s pretty obvious that AndrewFong.com is not Facebook, but if I were to make my homepage look like a Facebook login page, you might end up thinking that you were on the actual Facebook login page. After all, you clicked on a link that started with http://facebook.com, so it’s perfectly natural to expect that you’ll end up somewhere on Facebook. Furthermore, since Facebook requires logged out users to log back into the site to see a wall post or something else a friend shared, it’s also perfectly natural to see a Facebook login page when you click on that link.

People are even more likely to get duped if, instead of AndrewFong.com, I’m using clever domain names or gibberish. For example, if you saw http://www.facebook.com/l/55dd3;wallpostlink.pl/as3fa3g/share.php, would it be apparent on first glance that the end destination of this URL was not Facebook? I don’t think it is for most users.

What you’re supposed to do is check the URL in the actual address bar before signing in. Unfortunately, a lot of people forget to do this — there’s no reason to expect that clicking on a link in a Facebook e-mail that starts with http://facebook.com would send you to an external site. It also doesn’t help that Facebook currently doesn’t give you a warning you’re navigating to an external website if you’re already logged in (it does if you’re not logged in though — curious).

Of course, browsers and Facebook itself are supposed to mark these  links as suspicious and respond accordingly, but there’s always some lag time. So remember folks, always double check the domain of the website you’re on before logging in! If you’re not sure about the domain name, type facebook.com into the address bar of your browser and log in directly.

Comments