Facebook Fights Phishing Attacks

April 30, 2009— -- It was one of those things she never does.

But, Wednesday night, when Amory Wooden, 27, received a Facebook message from a friend directing her to a new Web site, she clicked on it. Not only that, once fbstarter.com popped up in her browser, she typed in her Facebook user name and password.

She had no idea she'd been hoaxed until Thursday morning, when messages from Facebook friends started pouring in about how they all fell for it.

"I don't know why it stumped everybody," the New Yorker told ABCNews.com. "I've been on Facebook for five years … I never message through Facebook."

For the second time in two days, users of the popular social networking site were attacked by a phishing virus attempting to harvest users' e-mail addresses and passwords.

The new virus, fbstarter.com, directs users to a Web site that mirrors Facebook's log-in page. Thinking they're on a Facebook-related site, users enter their e-mail addresses and passwords.

But once the renegade program has this information, it hacks into users' accounts and re-sends the link to all their friends, saying "Look at this!" and perpetuating the scam. The virus that was on the prowl Wednesday, FBAction.net, was very similar.

Although it's difficult to know the motivation of the people behind the attack, Facebook is an appealing target for spammers because users store so much personal information on it. In addition to names and e-mail addresses, some people keep their birthdays, addresses and telephone numbers. Once hackers have that information they can sell it to others on a black market.

As of Thursday afternoon, Facebook had blocked the Web site from being shared on Facebook. It also worked with MarkMonitor, an Internet fraud prevention firm, to get the browsers to blacklist fbstarter.com and take down the site.

By Thursday evening, Firefox had blocked the site but Internet Explorer still allowed users to access it.

"We're deleting that URL from walls and inboxes across Facebook," Barry Schnitt, a Facebook spokesman, told ABCNews.com in an e-mail. "We've also blocked access to the URL so that if someone does find it on Facebook (on their wall, in their inbox or in an e-mail notification) it won't send them to the destination."

He also said the site is automatically re-setting the password on any account that sent the infected links.

He declined to provide specific data about how many users were infected by the attack. But around midday on Thursday it was one of the hottest search terms on Google. It also prompted some robust chatter on Twitter.