“Do you want to be my friend? I will add you on Facebook.” This kind of conversation is quite common nowadays, and is reasonably safe in most cases — but not in Thailand!
WebsenseR ThreatSeekerR Network has found a fake Facebook site in Thailand. The Web page looks greatly different than the popular social networking portal, so it is unlikely that the site owner would use the usual social engineering tricks to steal credentials. However, as we will see the site does host some malicious applications to trap their unaware users. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.
As we can see in the picture above, the home page looks different than the original Facebook, even if it shares a few similarities such as the color and the style of the buttons at the top. Analysis by FireShark also shows us a legitimate-looking picture, as most of the connections seem to be going the right way, as well as to legitimate and clean destinations:
At this point, a security researcher might think that the creator of this site only wanted to gain some capital by buying the top-level domain name for their country (domain squatting), as this then opens negotiations for a trade or buy-out. However, before we close this book and put it back on the shelf, take a look at some of the other pages it hosts:
As we can see, some of the pages hold malicious applications, able to install a bot (Win32/Dorkbot.A) and another malware agent on users’ computers. Websense Security Labs would like to emphasize that this site is not the original Facebook, and users should always be careful when visiting sites that are unknown or uncategorized.
Leave a reply