The Latest in IT Security

Facebook Apps IFrame Flaw Used For Phishing

02
Jul
2011

Yesterday’s post made note of a spammer that has figured out a way to embed his Cost Per Action (CPA) surveys into a Facebook application at apps.facebook.com.

An observant reader called Matthew wrote to inform us of a phishing attack that uses the very same technique.

The phisher’s form fits seamlessly into facebook.com:

Account Security on Facebook

Fortunately, this still appears to be in the early stages, and the statistics indicate it isn’t widespread.

Department of Facebook Security

Department of Facebook Security? Cute.

An IFrame on the app’s page is the source of the problem:

IFrame

Not the application.php page, but the app’s page. (We’re not sure what it’s called. the page one ends up on if the “Go to App” button is clicked.)

The IFrame is loaded from a compromised website, which appears to be a clothing webshop, It’s hosted in Indonesia.

okrek.com

We attempted to fill out the phishing form, at the source, with some bogus information, and got this prompt:

The password you entered is incorrect

The form appears to be testing the details when entered.

The website also discourages right-clicking.

Right click is not allowed on this page.

There doesn’t appear to be much talk of this on Facebook. It could be that phishing links are being e-mailed to potential victims.

Here’s the one example we found:

Security Warning From Facebook

Facebook introduced IFrames to applications several months ago. Trend’s Rik Ferguson blogged about the issue in February.

David F. Carr at InformationWeek wrote Facebook iFrames: Good For Business, Bad For Security? on March 21st.

And now it looks as if the issue may finally need to be addressed. Hosting spam, phishing and malware on facebook.com via IFrames could quickly become a very serious headache.

We been in contact with Facebook’ security team and they’re looking into the issue.

Leave a reply


Categories

THURSDAY, DECEMBER 14, 2017

Featured

Archives

Latest Comments

Social Networks