Fake Facebook site uses pharming to steal passwords

A cousin of mine got a new laptop from his place of work. The laptop is a nice 14.4" HP with Windows XP on it.

He found that when he visited Facebook, the site looked a bit odd, and when he logged in, the URL was redirecting to various other URLs.

These include:

http://chips05.clanteam.com/

http://chips09.99k.org/pro.php

http://hosint.zymic.com/404/

After some digging, it was apparent that typing "www.facebook.com" or just "facebook.com" were redirecting to one of the fake sites above. He downloaded and ran several malware/spyware removal programs but none of them fixed the problem.

Further digging using the ping command showed that instead of the real Facebook site, the fake site was on an IP address of a residential ADSL in Tirana, Albania! The address is 79.106.2.131.

The way this site manages to fool people into thinking it is Facebook, is that somehow it got the hosts file in Windows changed, so the malicious IP address serves a fake copy of the login page for Facebook.

This technique used by criminals is called pharming.

In order to check if you are affected by this, make sure that your Windows XP, file at C:\Windows\System32\Drivers\etc\hosts file, has the following, and no entries for Facebook (or Paypal, eBay, or other popular sites requiring passwords):

127.0.0.1 localhost

On a computer affected by the attack, you will have entries that look like this:

79.106.2.131 localhost
79.106.2.131 facebook.com
79.106.2.131 www.facebook.com

The solution is to restore the "localhost" entry to 127.0.0.1 and remove all other entries in the file for any web sites.

The irony is that despite malware removal programs such as Spybot inserting many fake sites into the hosts file as 127.0.0.1 to protect from such hijacks, yet it left the fake IP address for Facebook in the file, and even the fake entry for localhost.

It could be that my cousin's place of work are using a master image of Window that was previously infected via another mean, whether it is an unpatched Windows installation put on the internet, visiting a site distributing malware via ads, or the many other means that malware is spread by ...

Contents: 

Comments

This could be a maleware that

This could be a maleware that hijack locally cached DNS.

Antivirus like Kaspersky would recommend changing system configuration to disabling DNS caching during installation.

you can manually disable DNS cache be using the following command

>net stop dnscache

also you can download & use SmitfraudFix & from its main menu use option 5 to clean the DNS

It depends

It depends on many things, such as the Windows version, how it is setup.

But the steps are generally like this:

1. Make sure that the hosts files is writable. Check its permissions.

2. Click on Start -> Run, then enter CMD.

3. Enter CD \Windows\system32\drivers\etc

4. Enter EDIT hosts

5. Change the file as mentioned above.

6. Save the file.

7. Check if you are now at the right Facebook site.

THANKS!

thank u so much! i fixed it!