Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title 'Facebook Page Verification' and using Facebook Security Logo as shown in the screenshot posted above.
Phishing app URL: https://apps.facebook.com/verify-pages/
Application hosted on: https://talksms.co.uk/
Application hosted on: https://talksms.co.uk/
The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information.
Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust.
Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust.
When someone has been phished, hacker hijack all there pages, Groups for his own use or selling purpose.
Three Facebook pages with millions of fans got hijacked last night by hacker using this phishing page and may be there can be many more victims that are right now unknown to us.
Hacker Pages are :
- https://www.facebook.com/funHETU
- https://www.facebook.com/getInspiration
- https://www.facebook.com/bySmiles
We found that after hijacking these pages, hacker start spamming his own web blog (https://teenquotes2013.blogspot.in) with a Facebook page ( i.e. https://www.facebook.com/This.Is.Teen.Quote ). Facebook Insight shows that, hacker's Facebook gain 96,000 Followers in last two months.
We have informed Facebook security team about the issue, and hope that Facebook will suspend all similar phishing pages as soon as possible. Original Facebook Page Admin's also looking for help from Facebook team to get their pages back.
Facebook users are advised to follow best practices to avoid phishing attacks:
- Do not click on suspicious links in email messages
- Do not provide any personal information when answering an email
- Do not enter personal information in a pop-up page.
- Report fake websites and email (for Facebook, send phishing complaints to phish@fb.com)