Home

phishing

What to do if you get hit by the Facebook brunga.at virus attack

Most of my hits lately have been people searching for information on bunga.at or another variant, like kirgo.at, nutpic.at, or 151.im. I've put together bits and pieces of information on the continuing Facebook phishing attack, but here's a quick guide on what to do if you've already fallen for it:

  • IMMEDIATELY change your passwords, particularly if you use the same password for Facebook as you do for other sites, like your bank or e-mail. This is the most important thing you can do, and the number one way to protect yourself from further, serious damage.
  • Report the breach to Facebook by e-mailing them at privacy@facebook.com. They're likely getting dozens of e-mails on the topic every second, but if they have your info they might be able to scrub any damage done before it gets passed much further.
  • Post a link on your wall to articles like this or the Facebook Phishing Scam Awareness group and let your friends know you've been compromised. It happens, but spreading the word about what they can do can minimize the damage.
  • Check your sent messages: You might be able to see who you've forwarded the worm to, and if so you can reply to all the people and warn them not to click your link. This won't always work but is worth a try.
  • Run anti-virus. Some users who've been hit have reported getting attacked by a Windows executable, and de-activating whatever nasty payload you might have gotten should be your next priority after changing your passwords and trying to prevent the virus from spreading further. If you don't have anti-virus already installed, learn your lesson and at a minimum, go install AVG, which is free. Many, many schools and service providers also give out free anti-virus to their students and customers.

Facebook itself had a few anti-phishing recommendations:

  • Use an up-to-date browser that features an anti-phishing black list. Some examples include Internet Explorer 8 or Firefox 3.0.10.
  • Use unique logins and passwords for each of the websites you use.
  • Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.
  • Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.

Further Reading:

Facebook virus attacks continues: Check kirgo.at, nutpic.at, and brunga.at continue to lure unwary

Already hit? Check out this guide of what to do now.

Looks like claims to have cleaned up the the Facebook 151.im worm were a bit premature. I've gotten three more offers to check scam sites in the past few hours, including to Kirgo.at, nutpic.at, and brunga.at. It looks like the phishers have changed from the Isle of Man's .im domain to Austria's .at. I'd still pick the former this time of year.

Most of what I wrote about the Facebook virus previously still applies, although it looks like the bad guys' servers are having trouble handling all the images, which will hopefully slow down the amount of people falling for the trick.

One way to make sure that it's the real Facebook site you're logging in to? Simply put in a made up e-mail and password in the login page. The phishing sites have been putting out a "502 Bad Gateway" error, while the real Facebook would ask you to try again. Note that this is not a 100% fool proof method (check the address bar!), but few phishers, particularly for a scheme like this, are likely to go through the trouble of a complicated input verification scheme.

Further Reading:

Facebook says "Check 121.im"; Common sense says don't

Since I've already gotten two of the spam Facebook messages today, I figure other people probably are, too. What sets this phishing attack from others? For one, no obvious misspellings:

John Doe sent you a message.

Subject: Hello

"Check 121.im"

To reply to this message, follow the link below:
http://www.facebook.com/n/?inbox/readmessage.php&t=1146328106860&mid=764a5aG638f2G2a6619cG0

___
This message was intended for morisy@gmail.com. Want to control which emails you receive from Facebook? Go to:
http://www.facebook.com/editaccount.php?notifications&md=bXNnO2Zyb209MjQwMjc0MDt0PTExNDYzMjgxMDY4NjA7dG89NDA3Nzk0
Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301.

Pretty much identical to a regular Facebook message:

John Doe sent you a message.

--------------------
(no subject)

Great to see you the other day. The artist that I was trying to think of was Thomas Barbey:
http://www.facebook.com/l/;https://www.artifactsgallery.com/art.asp?!=A&name=Thomas%2520Barbey%2520Photography&ID=787#LINKS

- John
--------------------

John has shared a link with you. To view it or to reply to the message, follow this link:
http://www.facebook.com/n/?inbox/readmessage.php&t=1099969910945&mid=742ccdG638f2G2a40a06G0

___
This message was intended for morisy@gmail.com. Want to control which emails you receive from Facebook? Go to:
http://www.facebook.com/editaccount.php?notifications&md=bXNnO2Zyb209NDAyMzEwO3Q9MTA5OTk2OTkxMDk0NTt0bz00MDc3OTQ=
Facebook's offices are located at 156 University Ave., Palo Alto, CA 94301.

If you click through the link, even the log in pages are pretty identical (click image to enlarge), mostly differing in that the real one offers "English" as an option below, prompts that you must log in to continue, and has a (very slightly) wider "Sign Up" button. Tricky, particularly since Facebook doesn't automatically use SSL encryption (manually go to the more secure version at https://www.facebook.com, and many browsers will display a green indicator in the address bar to let you know you're at the legit location).

Still, it's a good reminder that avoiding phishing traps is easy: Always, always, always look at the address bar when you enter your password and username for any website, whether it's a bank, social networking site, or e-mail. Even if only a trivial account is compromised, many users use the same passwords across all their logins, meaning big trouble even if it's the most clueless script kiddie who gets your data.

Update: Facebook has acknowledged the virus, and is taking steps to thwart its effects, the L.A. Times reports.

"This is a phishing attack. We’re well aware of it and are already blocking links to these new phishing sites from being shared on Facebook," Facebook e-mailed the LA Times. "We’re also cleaning up phony messages and Wall posts and resetting the passwords of affected users. We think this is related to the fbaction.net/fbstarter.com campaign of a couple weeks ago. "

Facebook has also put a better anti-phishing blog post than mine on preventing attacks, though it would be nice (if expensive to them) to make SSL the default connection.

Update 2: Removed some Real Life (TM) first names I'd accidentally left in, to protect the innocent and guilty.

Further Reading:

Syndicate content