Facebook made to serve phishing forms to users

Netcraft researchers have recently spotted an extremely convincing Facebook phishing attack.

The fraudsters made it look like the fake “Facebook Page Verification” form they’ve asked the victims to fill and submit is legitimate, as the page serving it is on a Facebook subdomain and uses HTTPS:

The attack will work whether the user is already logged in or not, and all the links on the page work as they should. This is because, apart from the bogus form, the rest of the page is legitimate.

The phishers have registered Facebook apps, and have managed to load the form inside it via iframes. The form is hosted on the crooks’ own servers, which also uses HTTPS, so no warnings about unsecure connections will pop up.

Another trick up the fraudsters’ sleeve is that they made the form return an “incorrect credentials” notification the first time the user submits them (whether they are correct or not). This trick is used to convince the most suspicious users, who might have inserted incorrect credentials on purpose, that the form works as it should and is legitimate.

On the second try, the form accepts the inserted credentials, sends them to the attackers’ servers quietly in the background, and shows the victim a response saying they will be contacted by the “Facebook Verification Team” within 24 hours.

“But of course, this email will never arrive,” says Netcraft’s Paul Mutton.

“By this point, the fraudster already has the victim’s credentials and is just using this tactic to buy himself some time. He can either use the stolen Facebook credentials himself, or sell them to others who might monetize them by posting spam or trying to trick victims’ friends into helping them out of trouble by transferring money. If more victims are required, then the compromised accounts could also be used to propagate the attack to thousands of other Facebook users.”

Potential victims are likely directed to the fraudulent form via bogus emails or messages supposedly sent by Facebook.