Facebook Fights Phishing Attacks

April 30, 2009— -- It was one of those things she never does.

But, Wednesday night, when Amory Wooden, 27, received a Facebook message from a friend directing her to a new Web site, she clicked on it. Not only that, once fbstarter.com popped up in her browser, she typed in her Facebook user name and password.

She had no idea she'd been hoaxed until Thursday morning, when messages from Facebook friends started pouring in about how they all fell for it.

"I don't know why it stumped everybody," the New Yorker told ABCNews.com. "I've been on Facebook for five years … I never message through Facebook."

For the second time in two days, users of the popular social networking site were attacked by a phishing virus attempting to harvest users' e-mail addresses and passwords.

Sites Harvest E-Mail, Password Information

The new virus, fbstarter.com, directs users to a Web site that mirrors Facebook's log-in page. Thinking they're on a Facebook-related site, users enter their e-mail addresses and passwords.

But once the renegade program has this information, it hacks into users' accounts and re-sends the link to all their friends, saying "Look at this!" and perpetuating the scam. The virus that was on the prowl Wednesday, FBAction.net, was very similar.

Although it's difficult to know the motivation of the people behind the attack, Facebook is an appealing target for spammers because users store so much personal information on it. In addition to names and e-mail addresses, some people keep their birthdays, addresses and telephone numbers. Once hackers have that information they can sell it to others on a black market.

As of Thursday afternoon, Facebook had blocked the Web site from being shared on Facebook. It also worked with MarkMonitor, an Internet fraud prevention firm, to get the browsers to blacklist fbstarter.com and take down the site.

By Thursday evening, Firefox had blocked the site but Internet Explorer still allowed users to access it.

"We're deleting that URL from walls and inboxes across Facebook," Barry Schnitt, a Facebook spokesman, told ABCNews.com in an e-mail. "We've also blocked access to the URL so that if someone does find it on Facebook (on their wall, in their inbox or in an e-mail notification) it won't send them to the destination."

He also said the site is automatically re-setting the password on any account that sent the infected links.

He declined to provide specific data about how many users were infected by the attack. But around midday on Thursday it was one of the hottest search terms on Google. It also prompted some robust chatter on Twitter.

Challenging to Prevent Phishing in Social Environments

Wooden said from the number of people who sent her messages about it today, it "absolutely" seemed like a more pervasive attack compared with those launched by previous viruses, such as Koobface.

Justin Smith, editor of InsideFacebook.com, said it's difficult to know how many people are infected by attacks like this. But, in the past, he added, Facebook has said about 1 percent of users' are affected by spam attacks. That's a small percentage, to be sure, but still a significant chunk of people when you consider that the site has more than 200 million users.

Facebook, he said, invests significant time and resources in fighting hackers but it can only do so much.

"It's a reflection of how challenging it is to prevent phishing in social environments," Smith said.

When users like Wooden receive a message from a friend they trust -- and when the spammers take care to craft a message similar enough to Facebook -- they let down their guard.

New Users Are Like 'New Kids on the Block'

Smith also said that as Facebook welcomes scores of new users, about 3.5 million each week, it creates a large audience of people who haven't been exposed to the kinds of phishing attacks that hit social networking sites.

"I think we've seen as new users have joined, it takes some time for users to figure out how to use new communication tools," he said, adding that many new users are over 35 and new to this kind of social environment.

"These are kind of the new kids on the block and so it's a little easier to pick on them," he said.

Facebook's Schnitt, however, said that they had not established any correlation between new users and the attacks.

"While we'd like to avoid attacks like today, every time they happen, more people become aware of phishing and how to avoid it on all sites, not just Facebook," she said.

He also cautioned users to only log in to sites when www.facebook.com is in the browser and to be very cautious of any messages or links they find on Facebook that ask them to log in again. Keeping unique logins and passwords for different sites is also helpful.

Even Infected, Facebook Does Its Job

Earlier this week, Facebook announced the launch of a new program that, much like Twitter, allows users to opt to make their newsfeed information public. Schnitt said that these attacks had no relation to the new program.

One possible upside of the scam?

Even when it's infected, Facebook connects people.

In one shot, the virus reached out to about 218 of Wooden's Facebook friends, many she isn't in touch with on a regular basis.

"I got a lot of [messages saying] "I haven't heard from you in a while," she said. "It brought us together."