Download our in-depth report: The Ultimate Guide to IT Security Vendors
The site offered visitors two ways to access the information: either enter their Facebook login credentials, or download the supposed app. In the former case, the attackers then had the victim's Facebook login info -- and in the latter case, the file downloaded was actually malware identified by Symantec as the Infostealer Trojan.
The malware adds executable files to the registry run key, sets up a keylogger that tracks everything the victim types, checks for Internet connectivity by pinging google.com, then sends it to the attacker's e-mail address. On the site that Symantec examined, however, the e-mail address hadn't been active for three months.
Regardless, the researchers write, the lessons are clear: check the URL of the Web site when logging into your account, don't click on suspicious links in e-mail messages, don't enter personal information in a pop-up window, and use comprehensive security software.