Reading Time: 1 minute

There are some signs that the incredible growth of Facebook has peaked, but with over one billion subscribers it has become a target of opportunity for hackers and fraudster, utilizing the techniques of Social Engineering. Where else are hackers going to find a bigger audience to spread an exploit?

A message has been appearing on Facebook pages, a new variation of phishing, which dupes users into thinking that their friends have participated in recent crimes. The message appears to actually comes from a person in the potential victims actual Friends List, who in fact has been hacked themselves. The message will also claim that if they go to a Tumblr page, they will be able to see pictures of participants in the in the crime. This is a classic social engineering strategy

The fake message will lead them to pages where they either will be infected with malware or tricked into revealing their Facebook login credentials. This new approach differs from email spam message in that it varies repeatedly. The same user will not see exactly the same message twice.

The techniques used in this attack are based on a social engineering approach called the “familiarity exploit”. By presenting the information and request from someone they are familiar with and in a familiar a context, the target’s normal defense mechanisms are lowered. They are less sceptical of requests that otherwise would raise red flags. For example, the fake Facebook login page is designed to be so convincing that the victim will not question why they are being asked to login when they were already logged in.