After warnings were made of malware that claimed to be a Skype toolbar, further caution has been advised about rogue browser toolbars that direct to a fake Facebook login page.
Chris Boyd, malware researcher at Sunbelt Software, claimed that two toolbars have been seen so far, and they often are promoted to allow the user to cheat at popular Zynga games such as Mafia Wars, and appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.
However Boyd warned that should the user hit the ‘Facebook' button, things will start to go wrong very quickly as a test verified that it was a Facebook phish.
He said: “Taken to apps-facebook-inthemafia(dot)tk, only the anti-phish protection in both IE and Firefox would probably have saved the end-user from entering their details into the fake page. But mafiamafiamafiamafia(dot)t35(dot)com was also flagged on Phishtank, and it looks like we arrived just in time to catch the suspicious activity taking place because the t35 URL was deactivated shortly after.
“However once the above domain went down at around 5:20 GMT, it was around 90 minutes or less before the toolbars were pointing to a fresh URL. The toolbars now took end-users to apps-inthemafias-facebook(dot)tk, which was a cover for another t35 URL: mafiawars200uk(dot)t35(dot)com.”
He said that the toolbars now point to the genuine Facebook URL, but there is an obvious danger that they could suddenly switch to another fake site and continue harvesting Facebook logins.
Boyd warned that if users install a toolbar from ourtoolbar(dot)com, they should pay attention to what kind of toolbar it is. If it promises ‘cheats' for Zynga games you may want to avoid logging into Facebook by clicking buttons on the toolbar itself.
He also warned of users being directed to a .tk domain. If so the way to be reassured is because the phishing page creators are a little lazy, and have left a rather large clue that you are not on the real Facebook site with adverts and a T35 hosting notice.