Bogus Facebook app harvests user login credentials

A bogus application harvesting Facebook users’ login credentials has recently appeared on the social network, according to Symantec researchers.

Luring in users with videos titled “Tornado Randomly Appears During Soccer Game” or “Video: This is the best April Fools’ prank ever!“, a click on the message by the user starts the automatic download of a script that logs the user out of Facebook and then displays an Error message inviting him to log in in order to continue:

A click on the button reveals a login form that looks rather legitimate.

“When the user enters login details and clicks on the Login button, the fake application sends two POST requests: one to Facebook.com, and the other to the malicious server,” explains the researcher.

The app also automatically posts the same message that lured the user in to his profile, making sure that his “friends” see it and quite likely fall for it.