We’ve received multiple tips of a new phishing attack that has broken out on Facebook. If you get an email message that looks to be from Facebook with the subject, “Hello,” and featuring the text below, don’t bother clicking on the link included. Doing so takes you to a site called fbaction.net that mimics the look of the main Facebook login page, hoping to get you to sign in. Naturally, if you do that, the site will have access to your account and can send out more of these messages to your friends.
The message body will apparently read something like this (with YOURFRIEND being replaced by the name of a friend of yours):
YOURFRIEND sent you a message.
We’ve contacted Facebook about the situation to see what it is doing to remedy this. In the meantime, be on the lookout for any link related to fbaction.net.
Update: And it looks like “fbaction.net” is now the #2 hot trending search topic for all of Google Trends. This thing is apparently spreading quick.
Update 2: Here’s the what Facebook just told me about the attack:
We are aware of this phishing domain and have already begun to take action. Specifically, we have passed the domain on to Markmonitor who pushes the domain to the browsers for blacklisting. They will also actively try to disable the site at the server/domain level for people who don’t have updated browsers. Our user operations team has blocked the domain from being shared on Facebook and is removing the content retroactively from any messages. They will also be resetting passwords of senders to remove access from an attacker. We’re also reaching out to the ISPs to get information and will attempt to build a civil and/or criminal case against the owners.
Sure enough, as some commenters have noted below, it looks like Facebook is now blocking outgoing links to that domain, and some browsers, like IE8, have flagged it as malicious.