[liberationtech] Fake Facebook Page Targets Pro-Revolution Syrian Users

Ron Deibert r.deibert at utoronto.ca
Mon Aug 29 16:03:31 PDT 2011 

Fake Facebook Page Targets Pro-Revolution Syrian Users

By
The Information Warfare Monitor
Published: August 29, 2011Tags: Facebook, MENA, Syria
Digg it!
Facebook
The Information Warfare Monitor (IWM) has uncovered an attempt to use a fake URL and login page to lure Facebook users into providing their login credentials. Given the nature of the content being linked to, this appears to be an attempt to target pro-revolution Syrian Facebook users. The link (hxxp://facebook.com-video-php-v222423423.homsrev.webgoof.com/video/video.php) attempts to mimic the URL and login page of Facebook, as seen in Figure 1. It has been distributed through multiple Syrian Twitter accounts, which describe the content as a “fascinating video clip showing an attack on Syrian regime”. The use of Twitter accounts to distribute malicious links is a common tactic and has been documented by past Information Warfare Monitor research.

IWM researchers were able to login to this Facebook page using newly created login credentials, at which point we were re-directed to the legitimate Facebook login page. Tweets from August 29, 2011 have added a note explaining “you will be asked to login twice as an extra security  measure”. This is likely an attempt to mask the suspicious URL by immediately re-directing to a legitimate one.

The source code of the fake Facebook page contains a description in Arabic which reads “An excellent operation by Khalid brigade that killed 6 Shabiha in the Syrian city Homs.” Shabiha is an Arabic term used by Syrian opposition groups to describe the regime’s militias. This provides further evidence that this page was indeed set up to target pro-revolution Syrian users.

This fake Facebook page is hosted by the U.S. based hosting provider webgoof.com, whose domain name was registered on August 4, 2011. This hosting provider is a sister company of TechniHost, a web hosting provider based in Ohio. The Information Warfare Monitor alerted TechniHost of this issue and the account has since been suspended.

This issue has been reported elsewhere in a blog post entitled “How Syrian Electronic Army Hacks Facebook pages’, however this post does not provide any technical evidence.

Previous research of the Information Warfare Monitor has documented activities of the pro-regime Syrian Electronic Army, which included compromising several Facebook pages run by Syrian opposition groups. However, we are not able to determine who is behind this particular attempt to harvest Facebook credentials.

Ronald J. Deibert
Director, The Canada Centre for Global Security Studies and
The Citizen Lab
Munk School of Global Affairs
University of Toronto
r.deibert at utoronto.ca
http://deibert.citizenlab.org/
twitter.com/citizenlab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110829/ec6a1fb7/attachment.html>

More information about the liberationtech mailing list