InformationWeek Editor Duped In Facebook Phishing Scam

The damage could have been worse. I had my guard down. Although today started like any other day, I hadn't even taken one sip of my tea when I noticed a slight hiccup to the way things normally work when logging into Facebook (see image below). And now, someone out there (I'm not sure who) has the password I used to use for Facebook as well as for a handful of other sites. It's one of my not-to-be-used-for-transactional (financial)-sites passwords. So, nothing serious is at risk and I think I moved fast enough to go so far as to say nothing is at risk. But I should have known better and you can learn from my mistake.If you're currently a Facebook user, then the e-mail message below should look familiar. As can be seen from the image, the message that Jessica Lamoureux had written on my wall looks exactly like the hundreds of other messages that Facebook fills my in-box with.

I missed the fact that it was sent to my TechWeb address, which is not the e-mail address of record for my Facebook account. I also didn't bother to do what I usually do with links in e-mail messages (before clicking on them); I didn't mouse-over the message to double-check that the URI being displayed in the message wasn't an imposter that was masking a non-Facebook URL. As can be seen from below, it was. I also missed that once I clicked through, the URL in Firefox was pointing to http://facesbookcom.awardspace.com. I was asleep at the keyboard.

But the site's behavior certainly got my attention. I went through what appeared to be a normal login process, but then was asked for my password again. This second password request came from a legitimate Facebook page to which the imposter had redirected me. It's brilliant because if you're not paying close attention, you end up logged in to your actual Facebook account and may never realize that something was amiss. But I also was expecting to be taken directly to Miss Lamoureux' message (as is the normal behavior when clicking through e-mail) and that didn't happen. But by the time my spider senses were tingling, the "phishers" had both my login ID as well as my password. It happens to the best of us.

As I said earlier, the damage could have been worse. For example, by the time I realized my mistake, two key pieces of information on my Facebook account remained unchanged: my password and the contact e-mail. I changed both immediately. The phisher might have had some automated systems in place to change both (preventing me from logging in and also preventing Facebook's password recovery scheme from e-mailing me a new password). Had the phisher been faster than me -- for example, if the phisher's systems were automated (and no doubt, some phisher's systems are or will be) -- I would have been locked out of my Facebook account and who knows what else.

I think I've headed a small disaster off at the pass. But who knows? Furthermore, the skin on my neck took on a slight rosy pigment as I poked around awardspace.com (apparently, a Web hosting company) to find out why such a phishing scam is so easily run off its domain. I also reached out to Google since, with the imposter URL, this is one e-mail that the Gmail antispam engine should have nuked with one eye closed.

Here's the image (and watch what you're clicking on!):