A new phishing attack that's spreading through Facebook chat modifies hijacked accounts in order to impersonate the social network's security team.
The attackers replace the profile picture of compromised accounts with the Facebook logo and change their names to a variation of "Facebook Security" written with special Unicode characters, said Kaspersky Lab expert David Jacoby in a blog post.
Facebook claims that changing the profile name can take up to 24 hours and is subject to confirmation. However, in Jacoby's tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said.
After the victim's profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them that their accounts will be suspended unless they re-confirm their information.
The rogue messages appear to be signed by "The Facebook Team" and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook's design and asks for name, email, password, security question, country, birth date and other information needed to hijack the account.
However, the attack doesn't stop there. According to Jacoby, a second form asks users for their credit card details and billing address. This is somewhat unusual for Facebook phishing attacks, the majority of which target only social networking account information.
"These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social media," Jacoby said.