Here’s a Facebook phish which uses the incredibly old technique of blurring the supposed page underneath the login prompt. This is designed to tantalise victims with what they could see if only they hand over login details. This tactic has been around from Facebook and Tumblr all the way back to Myspace, most typically in the form of the infamous “See who visited your page” scams of yesteryear.

The site, located at fb-log(dot)890m(dot)com, looks like this:

fb phish

Logging into the page would eventually direct the victim to the below “exploit” themed website:

sploitz web

The site seems to be offering up a “remote way to hack”, alongside asking if the visitor has tried their application. Well, okay. We downloaded the .APK on offer, fired it up and…

sploits droid

…it simply opens up the webpage in Android. If you were already viewing the site on an Android, this would be vaguely confusing. Sploitception?

Anyway. Clicking into the various Scams / Xploitz / SMS tabs suggests we need to be registered to view whatever content is on offer. An interesting diversion, but the primary focus should be on avoiding the phishing page in the first place. If you think you’ve been caught by this scam – or indeed any other Facebook phish – then set about changing your password as soon as possible, and follow the safety tips listed on their Privacy Basics page.

Christopher Boyd (Thanks to Nathan for assistance!)