Tuesday, September 14, 2010

Attackers re-create an entire Facebook site for phishing

Most phishing sites consist of one login page with perhaps a few additional pages. However, I recently stumbled upon a Facebook phishing site which cloned all the facebook pages: About, Developers, Adverting, Sign up, etc. and even in all of the 64 languages the original site offers!

Fake Facebook login page
The domain of the phishing site is fersos.ru. hxxp://www.fersos.ru/ gives an error as you have to access it with hxxp://www.fersos.ru/index.html. The website is remarkably well done; all the controls are the same as Facebook.

Fake Facebook sign up page

There is also another Russian domain hosting the same "clone" of Facebook: baksko.ru.

These sites are not yet listed in Phishtank, and they are not blocked by Google SafeBrowsing.

-- Julien


noe said...

Nice catch! It looks like these guys are also cloaking. If you simply type the URL in your browser you get a HTTP/403 but if you set the referrer to 'http://www.google.com' you get the phishing page back. Finally, they also check the user-agent because if you simply curl the page with the proper referrer you get an empty page back.

I'm curious how you found out about these phishing sites.

Julien Sobrier said...

@noe: We've developed a new technology to detect phishing sites. I was checking the results, and found these 2 domains flagged by our scripts.

Scyrus123 said...

It's just too easy to detect, right click then click view source code.