Rogue toolbars phish for Facebook credentials

Two rogue toolbars have been spotted in the wild by Sunbelt researchers.

At first glance, they look legitimate enough. Purportedly enabling the user to cheat at popular Zynga games on Facebook, they contain various links and other teature usual for this kind of tool:

Upon closer inspection, the toolbar is revealed to be a tool used to steal login credentials. If the user clicks on the “Facebook” button in the left top corner, he is taken to a Facebook look-alike phishing page:

The domain on which the phishing page is hosted is constantly changing because in time every domai gets reported, detected and blocked by the browsers. The different domains used had names like apps-facebook-inthemafia(dot)tk, mafiamafiamafiamafia(dot)t35(dot)com, apps-inthemafias-facebook(dot)tk, etc.

The problem is that the toolbars – when they are not pointing towards the phishing page – point to the real Facebook URL, and the switch can happen anytime. It is best to distrust “cheating” toolbars altogether, and access Facebook and other networks and services by typing in the URL yourself or following your own bookmark.