by Jason Ding, Research Scientist
Internet hackers never stop working hard to phish victims with new strategies, even on the coming Easter day. Last night, when one of our colleagues logged into his Facebook account to check around, he received the following two Facebook chat messages from his friends.
The text associated with these notes reads as follows:
hey, do you remember this photo? http://m.facebook.com/note.php?note_id=10150721776820528
hey, do you remember this photo? http://m.facebook.com/note.php?note_id=10150657346714077
As most Facebook users chat frequently to converse with their friends, this post is nothing special and looks safe; it is a Facebook Note link. However once you click through, the note suggests another (non-Facebook) link to see your friend’s photo.
The links have the following text:
Click here to open photo > [http]://destinationats[.]com/photo-album/
If you follow this new link, you will be redirected to a website phishing your Facebook credentials or serving malicious content to install malware on your device. Either way, you are under potential attack. Unfortunately, we do not have a screenshot of the corresponding redirected site, but many Facebook users are already know of its maliciousness.
Note this twist is a different spin on a previous attack, as the chat message contains a valid Facebook Note link. Most users will trust Facebook URLs and click them.
If you receive such messages, DO NOT click on their links. Tell your friends that their passwords might be compromised, and suggest they change their passwords immediately.
Further tracking shows that in this example, the attacking website domain is rmxdhd[.]com, which is registered to an address in Russia since April 5, 2012. Fortunately, this domain is not resolvable at the moment.