To-date, Facebook phishing scams have mostly targeted users by way of sending suspicious looking messages to your Inbox that direct you to a site that looks like Facebook (see examples here and here). These typically come from friends who have had their username and password stolen by the same site.

While users (well, those who read Mashable anyways) have become familiar with these, a new series of scams adds more confusion to the mix, because it targets users with Facebook notifications that look just like real activities you’re used to being notified about.

Security firm Trend Micro explains:

“Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos” [Other apps spreading the scam include one called “Inbox” and another called “Birthday Notifications”]

The application then goes on to send spam to all your contacts, without asking for permission of course… The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.”

And here’s a screenshot of what such notifications look like:

It’s easy to see how this scam could trick even seasoned Facebook users, as Inbox, Birthday Notifications, and Photos all sound like legitimate applications, and the notifications come from your friends. The only way to avoid this one is to be sure to check the address bar of your web browser and make sure you’re on Facebook.com and not “Fucabook” or any other suspicious URL. Or, you could simply get rid of notification messages, as we showed you how to do earlier today.

Tags: facebook, phishing, security