A very effective phishing worm has been targeting Facebook users and has been compromising their accounts by luring them with the offer of seeing a video.
The victim would receive a instant message from a contact asking “Is this you?” and supposedly offering a link to the video, but actually providing a link to a malicious Facebook application which loads a phishing page into an iframe:
The Kaspersky researcher that spotted the worm was curious and poked around the server to access some common directories so that he could discover more information about the worm’s activity, and he found one containing Apache access logs.
“When analyzing the content of the log file I saw that someone was trying to access a file named acc.txt,” says the researcher. “I downloaded acc.txt and saw that the file contained stolen accounts: in the first version of acc.txt which I downloaded I saw that the attacker had collected over 3000 accounts! I downloaded the acc.txt at 5-minute intervals, and within 20 minutes, the number of stolen accounts went from 3000 to over 6000.”
He immediately notified Facebook, and the malicious page was taken down. Users who think their account has been compromised are advised to change their passwords and to terminate any active session that might be found in the Account Security section in the Account Settings.