BLACKBERRIES CAN'T TELL REAL FROM PHISH?

Mixed in with the fake Facebook password update email we reported yesterday is another, possibly more dangerous phish. Messages with subjects like "Facebook Update Tool" and "Facebook Account Update" are circulating. These are more typical phish, and they include a link to a fake account login page.

Most users, by now, know to be cautious of things like this in their inbox. For Facebook user with Blackberries, though, there's another danger. There are reports, verified through experimentation by Stuart Paton, Senior Solutions Architect here at Cloudmark, that the Facebook for Blackberry app provided by Research in Motion can be fooled by these phishes. The app can be configured to monitor your Blackberry's email inbox for alerts from Facebook; those alerts are then moved to the Facebook app's internal inbox, which makes them appear to be legitimate. Users are much more likely to respond to these phishes when they appear to be coming directly from Facebook.

Our experimenting shows that these messages only show up in the Facebook for Blackberry app, and will not be seen if you log into your Facebook account through a web browser. Until Research in Motion and Facebook can issue a fix for this behavior, Facebook for Blackberry users should take care to verify that links in Facebook alerts are legitimate by viewing their Facebook inbox in a web browser. (Thanks go to Stuart Paton for researching this issue, and for providing screenshots of his Facebook inbox for this article)