UPDATE: Two further rogue applications have been identified as a part of this scam click here for the latest blog article.

A rogue Facebook application appears to be sending notifications that lead users to a credential harvesting site.

Prospective marks receive a Facebook notification that a user has commented on one of their posts, as above. The notifications appear to come from an application called “sex sex sex and more sex!!!” which despite sounding shady and looking a bit of a mess still boasts over 287000 fans.

The hyperlinks in the notification both lead to a malicious website hosted on the fucabook.com domain (note that the user name itself does not link back to a profile). The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refresh tags to pull up the real Facebook website and prompting the victim for their login credentials.

Always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use.

The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.