Flour Power

Well, it really seems like a new site trying to steal people's Facebook credentials shows up every day. The .at and .be domains were attacked last week and this week the target seems to be the .ru domain. Yesterday I got a message to visit vingers.ru, and today the attack is coming in the form of nanoraw.ru. The Facebook message is similar: "Hello" for the subject and "nanoraw(insert dot)ru".

Here's the list of sites that have been spotted as part of this scam so far:

• afoi.ru
• areps.at
• bests.at
• bestspace.be
• brunga.at
• goldbase.be
• greenbuddy.be
• indigoline.be
• kirgo.at
• mymarket.be
• nanoraw.ru
• nutpic.at
• picoband.be
• ponbon.im
• redbuddy.be
• redfriend.be
• silvertag.be
• simplemart.be
• sweeter.be
• vingers.ru
• whiteflash.be
• whitemart.be
• yospace.be

Instead of making a new post every time a new scam site shows up, I'll instead update this list as soon as I find a new one. So you can bookmark this post to keep safe.

I've also noticed that the sites only work the first time you access them, and return a 404 Not Found error in subsequent requests. I'm guessing this is some kind of attempt to hide from the victims.

So it seems that every other day a new Facebook phishing scheme springs to life. Or rather the same scam keeps showing up disguised in a new country domain. First it was the .at domain, a couple of days ago the .be domain and now it seems .ru is being targeted.

I just received a message from one of the friends that sent me the "wwww whiteflash be" message, now with "Hello" as the subject and "www vingers(enter dot)ru" as the message body. Again, the site looks like the Facebook login page to try and steal your user credentials. The good news for Google Chrome users is that the browser identifies the site as a malware sites and displays the corresponding warning. Can't say the same about Firefox and Internet Explorer 7, though.

You should NOT provide your Facebook credentials to any site that is not http://www.facebook.com. You shouldn't even blindly trust the browser address bar, and instead make sure you type the URL yourself. Take a look at this article that outlines the danger of having your Facebook credentials stolen.

Here's a list of sites that are being used to conduct the attack:

• afoi.ru
• areps.at
• bests.at
• bestspace.be
• brunga.at
• goldbase.be
• greenbuddy.be
• indigoline.be
• kirgo.at
• mymarket.be
• nutpic.at
• picoband.be
• ponbon.im
• redbuddy.be
• redfriend.be
• silvertag.be
• simplemart.be
• sweeter.be
• vingers.ru
• whiteflash.be
• whitemart.be
• yospace.be

UPDATE: The vingers.ru site is returning a 404 Not Found error at the moment. I guess the scammers are changing domains faster now. I would expect a new one showing up soon.

UPDATE: Check this list of scam sites that I compiled and will be updating when some more sites show up.

UPDATE: Check this list of scam sites that I compiled and will be updating when some more sites show up.

I wasn't affected by last weeks areps.at Facebook phishing scam, but it seems like another one is underway right now. I've been getting some messages on my Facebook account with the subject "Look at this" and "wwww whiteflash be" as the message body. The site whiteflash.be looks like a Facebook log-in page, and is designed to steal your credentials and use them to send similar messages to all your friends.

Mashable mentions some other sites that are also part of the attack:

goldbase.be
greenbuddy.be
silvertag.be
picoband.be

So, if you receive such a message, DO NOT go to those sites.

UPDATE: You can add simplemart.be to the list of culprits, just received one message poiting me to it, with the subject line "Hello" and the text "Check simplemart D0T be, , 575222". The weird thing here is that when I went I actually went to Facebook to check it (I saw it as an email notification) is it said I had deleted the message, which I didn't. Maybe the Facebook staff is now onto it.