Deja vu: New scams hit Facebook and Twitter

Phishers were having a field day with Facebook and Twitter on Thursday.

A new phishing scam hit Facebook users that, like others in recent weeks, sends them to a Web site which steals their log-in information and also secretly downloads malware onto computers when they visit the malicious Web site in what is known as a "drive-by download".

Meanwhile, Twitter users were getting messages from new followers that were posting links to a fake Twitter site with "tvvitter" in the tiny URL, Graham Cluley of Sophos wrote in his blog. His blog has a video of the phishing attack in action. Twitter representatives did not immediately respond to e-mails seeking comment.

In the Facebook attack, messages circulated with a subject line of "Hello" and a prompt to check out "areps.at" or other URLs ending in ".at".

The URLS, before being blocked, directed the visitor to a fake Facebook page. If you logged in to the site, it would steal your e-mail and password, log you into Facebook, automatically change your password, and send the same message to all your Facebook friends, according to the All Facebook blog.

The malicious Web sites also spread the Koobface worm and install the Trojan.BHO, among other malware, onto unsuspecting computers, according to a CNET News test using Internet Explorer. But the URLs were blocked by Firefox and flagged as a "Web Forgery" as of 9:50 a.m. PDT.

"Whoever is behind the scam has been steadily amassing a large number of e-mail addresses and passwords over the past few weeks," the blog says. "Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users."

Facebook spokesman Barry Schnitt said: "The impact of this attack or the previous ones are not widespread and only impacted a tiny fraction of a percent of users. We've been updating our monitoring systems with information gleaned from the previous attacks so that each new attack is detected more quickly."

The site has blocked links to the new phishing sites from being shared on Facebook, added them to the block lists of the major browsers, and is working with partners to have the sites taken down completely, he said. Facebook also is cleaning up phony messages and wall posts and resetting the passwords of affected users.

Other safe computing tips from Facebook:

--Use an up-to-date browser that features an anti-phishing black list. Some examples include Internet Explorer 8 or Firefox 3.0.10.

--Use unique logins and passwords for each of the Web sites you use.

--Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain.

--Be cautious of any message, post, or link you find on Facebook that looks suspicious or requires an additional login.

--It is important that impacted users reset all accounts (not just Facebook) that use the same credentials. We believe the bad guys here are phishing an account and then trying those credentials on webmail providers. So, for example, if a user is compromised on Facebook and has the same login and password for their Gmail, the attacker may be able to intercept the Facebook password reset and compromise the account again in the future. This is one of the reasons why people need unique passwords for their online accounts.

--Become a fan of the Facebook Security Page (www.facebook.com/security) for more updates on new threats as well as helpful information on how to protect yourself online.

Separately, some Facebook users reported difficulty accessing the site on Thursday morning. It was unclear whether the connectivity issues were related to the phishing scam.

This article was first published as a blog post on CNET News.