As we edge toward Christmas, scammers are throwing their own party—in the form of Facebook phishing pages linked to and from bogus landing pages hosted on sites(dot)google(dot)com URLs.
These landing pages, adorned with very large and very fake "Login with Facebook" buttons, may be extra convincing to the unwary, due to a combination of the trusted Google name and the fact that the sites are HTTPS rather than standard HTTP.
HTTPS is becoming increasingly popular with scammers as it adds an extra air of authenticity to the whole operation. As a result, you can't just assume a "secure" site is also a safe one. There could well be a phisher lurking in the distance.
The landing pages are all themed around loss of Facebook access, with potential victims most likely directed there by phishing emails. (We haven't seen any associated with this particular campaign, but given the messaging on the sites and the typical methods used to steer someone to them, it seems a reasonable bet to make.)
The bulk of the fakeouts look like either of the two examples below, with zero additional content on the page except for a big blue box asking you to "Login to Facebook" to "comfirmation your account!!!" [sic]
Click to Enlarge...or
Click to Enlarge..."Connect with Facebook."
There's a few other designs out there, but they're nowhere near as common as the two above. Here's one of the alt-designs:
Click to EnlargeThe word salad on the fake Facebook security page reads as follows:
Regardless of which landing page you kickstart the process from, the end result is the same—you'll be directed to a number of secondary websites hosting the pages where user data will be phished. First, scammers will ask for login details:
Dear Facebook users
Your account is reported to have violated the policies that are considered annoying or insulting Facebook users. Please confirm your account with accurate data to avoid blocking. Note: if you do not verify your account permanently disabled automatically. Thanks, the Facebook team
After that, they go straight for security questions:
Click to Enlarge
The text on the page reads as follows:
Upon hitting the "Protect your account" button, victims will be sent to the legit Facebook login page, another common trick to make the victim think all is well—right up to the point the login mysteriously alters and they lose access. We've seen Facebook scams a lot less complicated than this also ask for payment information, so we're a little surprised that none of the sites across both sets of websites— the landing pages, and the sites playing host to data collection—do this.
We will temporarily lock your account. Please answer a few security questions to ensure that the actual owner of your account. We will provide 1X24 hours, to verify the identity of your account. If you do not confirm, the system will automatically shut down your Facebook account permanently.
This information will help us to restore your Facebook account
We're certainly not complaining, mind.
At time of writing, many of the secondary sites appear to have been taken down, though there's still a fair few landing pages still up and running. As such, it would be easy for the scammers to set up new phish pages and point the landing URLs to them instead.
URLs you should avoid:
(leads to) help-unblocking-fb(dot)site/contact/2017/index(dot)php
We're working on having the last of these sites taken offline, but please be careful around any websites claiming they'll confirm, review, or connect your Facebook account, especially in relation to supposed security alerts or "bad behaviour" on your part. If in doubt, visit the official Facebook site directly and take things from there. There's a good chance it's just someone trying to ruin your festive fun, and that definitely doesn't fall under the season for giving.