Blog Archive

Thursday 1 July 2010

Winner's Circle Facebook phish

Here’s a Facebook phish that claims you’ve won $200,000,000 from “Zynga Special Gifts”, while displaying elements from the legit Texas Holdem Poker App page. It also pastes a popup box over the top:

Zynga Gifts
Click to Enlarge

As I’m logged into Facebook, you can see a little picture of my head as Texas Holdem asks for permission to access my information. All of this is going to seem very convincing to a Facebook user unfamiliar with dubious popups and other nonsense. Let’s see where we go from here after clicking the popup:

Zynga popup
Click to Enlarge

“Welcome to Winner’s Circle”, it says – along with a request for your email, password and “code” to prove you’re a legitimate winner. I’ve no idea what the Code is all about, but entering your data into the box and hitting the “Claim Gifts” button sends your login to the phisher.

Where this gets really interesting is the state of play this morning.

Visit the phish now, and Facebook redirects you to the following page:

Zynga phish warning

Click to Enlarge

“Warning, the website that directed you here was not a Facebook page. If you entered your Facebook login information on the previous site, you will need to reset your password”.

While this is pretty clever, there is one small problem. The warning appears underneath the phish popup, which is still alive and kicking:

popup with warning
Click to Enlarge

Performing a password reset depends upon the victim paying enough attention to notice the warning message once they’ve been phished – otherwise there won’t be any account reclaiming action taking place.

Still, it’s better than no warning at all. This one starts with a redirection link – bit(dot)ly/braovG, which now takes you to a Bit.ly warning page, and winner-gift(dot)110mb(dot)com/welcome(dot)htm, which is currently flagged as a phish by both Firefox and IE.

Christopher Boyd

No comments:

Post a Comment