Trend Micro reports that it has discovered a fake mobile Facebook site that looks identical to the popular social network. However, its intentions aren't to bring together friends and family (and possibly a few enemies), but to steal the credit card numbers of web surfers who can't tell the difference. Unfortunately, the security firm didn't specify how potential victims land on this Facebook imposter, but it's presumably through web searches and bogus Facebook emails.
For the more obvious observer, the fake login page has its differences from the original. First, the actual URL is wrong: Facebook Mobile login uses the m.facebook.com/logi address and sports the SSL "lock" icon depicting a secure location, whereas the fake site merely uses the facebook.com address. That seems to indicate Facebook users simply typing in the wrong address in their smartphone or tablet browser could be directed to the malicious social network.
In addition to the URL, the fake Facebook login page doesn't nag the user to install the appropriate Android or iOS app (this Trend Micro test was obviously performed on Android). The fake page also doesn't provide means to create a new account, but serves up links to password retrieval, getting login help, and so on. While the differences are obvious side by side, on its own, the fake Facebook login looks rather legitimate.
Once the unsuspecting Facebook user enters login credentials, he or she is directed to a new page requesting for an updated security question. "If there is ever trouble with your account, you can use this information to reset your password and log back in," the page reads. "It's also easier for people to keep in touch." The security firm points out that this question/answer set could be used across multiple sites.
After the security question is updated, the real fun begins -- acquiring a credit card number. Let's stop for a moment here. If a social network is asking for credit card credentials during the login process, red warning lights and explosions should be going off in the user's head. No social network needs credit card info for any reason unless the user is trying to make a purchase. Even then, storing credit card information online is highly risky to begin with.
Regardless, there are many web surfers who will likely fall for this scheme. The fake credit card page makes the same comment about how the info can be used to reset the account password. Even more, this security "protection" is supposedly a free service from Facebook and will not be charged to the user's card. The credit card number is supposedly for identification purposes only even though the fake site wants a security code too.
That said, Trend Micro states the obvious. "In cases like these, users should always be careful and double-check the URLs of sites they are entering personal information into, particularly those that claim to belong to a particular service," the firm says. "In addition, Facebook does not ask for a user's credit card information unless they are making a purchase."
Naturally, Trend Micro suggests installing its security products. We suggest using legit apps if possible, and avoid providing credit card details for anything that looks remotely suspicious. If you are planning to store credit card info with services like Google, use a two-step verification that requires a smartphone text or authorization app.