Increasingly, scam sites have domains that include the names Facebook, MySpace and Twitter, with no connection to the real sites. By using this tactic, called “domain-name cloning,” cybercriminals are making their scam sites appear to be affiliated with these popular social networking sites. Websites with names such as unblock.facebookproxy.com, buy.viagra.twitter.1234.com or hotbabesofmyspace999.com often are phishing websites designed to lure users into handing over sensitive information or downloading malicious code, Jay Liew, security researcher for Websense Labs, told SCMagazineUS.com on Thursday. More than 200,000 phony copycat sites using in their URLs the terms Facebook, MySpace or Twitter have been identified.
This problem may be heightened by a lack of user education, Liew said. Because users are accustomed to looking at websites with the words Facebook, MySpace or Twitter in the URL, it's natural to think those sites are safe.
Many of the domains are proxy avoidance sites that are used to evade traditional web filtering technology, Websense found when analyzing this threat. Liew added that there are a few legitimate proxy avoidance sites, but the majority are operated by scammers who are up to no good and could be stealing usernames and passwords or infecting people with malware, he said.
Some of the scam sites even look like legitimate social networking website login screens, aiming to trick users into handing over their usernames and passwords. Liew said these websites are often part of a phased exploit in which diligent cybercriminals turn website credentials into hard cash.
Liew said that at first cybercriminals use the fake social networking phishing site to obtain usernames and passwords. Then they use compromised social networking accounts to send out malicious links to websites that install malware on users' systems. Next, they wait for an infected user to check their bank account online -- to capture banking credentials. Finally, they log into the user's banking site, and transfer money into an offshore account.
Late last month, Facebook said it had put the brakes on a phishing wave that was trying to dupe members into divulging their login credentials. Phishers sent messages to Facebook users that appeared to come from their "friends" on the site. However, the scammers actually had hacked those accounts, giving them the ability to send messages and impersonate the victim.