Hackers for the first time are targeting the popular social networking site Facebook with a phishing scam that harvests users' login details and passwords.
Some Facebook users checking their accounts Wednesday found odd postings of messages on their "wall" from one of their friends, saying: "lol i can't believe these pics got posted.... it's going to be BADDDD when her boyfriend sees these," followed by what looks like a genuine Facebook link.
But the link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page actually logs the victims into Facebook, but also keeps a copy of their user names and passwords.
Soon after, the hackers post messages containing the same URL on the public "walls" of the users' friends. The technique is a powerful phishing scam, because the link seems to be coming from a trusted friend.
"A lot of phishing is moving out of financial services and going to online web sites that have not installed stronger authentication, sites that are not as close to the money," said Marc Gaffan, who heads product marketing for security firm RSA's Identity and Access Assurance Group.
Thanks to the exploding popularity of social networking services -- and tightened security at financial websites -- fraudsters are targeting networking sites to make money in a number of ways, according to security experts.
Hackers can use the compromised profiles to host Trojan horses such as key loggers that go on to steal banking passwords and credit card numbers.
And since many people use the same logins and passwords on multiple sites, the hackers can also check if stolen Facebook credentials will log them into eBay or Amazon, for instance.
And super-sneaky crooks may be interested in mining profiles for personal information that can be used to send carefully targeted spam or malware. If someone is listed as an NFL fan, for example, hackers may send him phony NFL messages to trick him into clicking a link or installing attached malware.
Dancho Danchev, an independent security consultant, said the hackers may be trying to harvest hundreds of accounts before embedding malware that automatically infects everyone who visits the infected profiles.
"If they register a phisher.cn domain they would have to advertise it so people will come across and get infected, (but) if they get access to profiles where people will return for sure, they won't reinvent the wheel," he said. "Moreover, they do internal spamming for the usual pharmaceuticals and porn stuff automatically."
Danchev has been tracking scammers using similar Chinese .cn domains to target MySpace user accounts, he said. "The common stereotype that it's all about the money is true in this case, because they will either embed the malware, or sell the accounting data to someone else who would do it," he said.