Tuesday, August 30, 2011

Fake Facebook Page Targets Pro-Revolution Syrian Users

Via Information Warfare Monitor -

The Information Warfare Monitor (IWM) has uncovered an attempt to use a fake URL and login page to lure Facebook users into providing their login credentials. Given the nature of the content being linked to, this appears to be an attempt to target pro-revolution Syrian Facebook users. The link (hxxp://facebook.com-video-php-v222423423.homsrev.webgoof.com/video/video.php) attempts to mimic the URL and login page of Facebook, as seen in Figure 1. It has been distributed through multiple Syrian Twitter accounts, which describe the content as a “fascinating video clip showing an attack on Syrian regime”. The use of Twitter accounts to distribute malicious links is a common tactic and has been documented by past Information Warfare Monitor research.

IWM researchers were able to login to this Facebook page using newly created login credentials, at which point we were re-directed to the legitimate Facebook login page. Tweets from August 29, 2011 have added a note explaining “you will be asked to login twice as an extra security measure”. This is likely an attempt to mask the suspicious URL by immediately re-directing to a legitimate one.

The source code of the fake Facebook page contains a description in Arabic which reads “An excellent operation by Khalid brigade that killed 6 Shabiha in the Syrian city Homs.” Shabiha is an Arabic term used by Syrian opposition groups to describe the regime’s militias. This message provides further evidence that this page was indeed set up to target pro-revolution Syrian users.


Previous research of the Information Warfare Monitor has documented activities of the pro-regime Syrian Electronic Army, which included compromising several Facebook pages run by Syrian opposition groups. However, we are not able to determine who is behind this particular attempt to harvest Facebook credentials.

No comments:

Post a Comment