Intro
I’ve come across a FB app yesterday that raised my red flags at the first point of viewing the URL which has a typo:
Opening the URL presented me with an application interface that claims to be an Instagram login interface asking for credentials in order to grant access to the application
It was clear that it’s a phishing campaign conducted in an unprofessional method particularly the french language used on the interface, trying to enter random fields’ values redirected me to a page in the Arabic language
Now after recognizing this, i decided to identify the main backend server used to harvest victims ‘ credentials
After opening the following URL: https://websitet7.com/qi/ins/?i=1108114
the main backend website interface that serves and receives harvested credentials has appeared
I tried this time to type in random email and password to where this page would redirect me after hypothetically harvesting my instagram credentials and indeed I was redirected to a proxy server web page
Lessons learned:
1- facebook apps do not request credentials for third party services and it even does not ask you for your Facebook login info unless you need to login
2- Do not type in your login information into any application or webpage unless you make sure it belongs to the website it claims to be
3- Take a step forward and report the main phishing URL to Cisco Talos intelligence group to blacklist the IP and prevent other people to fall victimized to this
4- if it was a Facebook phishing, report the Facebook app URL to phish@fb.com to take down the app