14 DAY TRIAL // Security researchers have come across a very well executed phishing attack in which the rogue form is displayed through a Facebook app iframe.
Since February, Facebook allows developers to load third-party content into app pages through iframes, a feature that has been criticized by security researchers because it is prone to abuse.
And it wasn't long before cyber crooks began leveraging this functionality to craft believable scams.
Such is the case of a recent phishing attack spotted by security researchers from F-Secure in which a rogue form is loaded from an external domain.
The scam is very well constructed and victims are targeted by claiming their accounts have been temporarily suspended because of suspicious activity and they are asked to verify their identity.
The form has a field for inputting the full name, email address, password, gender, birthday, country, security question and answer, enough information to allow for extensive abuse and not just on Facebook.
One interesting aspect of this attack is that passwords are actually verified in real time. In addition, the right click is disabled on the page to prevent users from viewing the source code, although this restriction is easy to bypass.
This is not the first time when phishers and scammers have abused the iframe feature, so Facebook needs to address this issue. "Hosting spam, phishing and malware on facebook.com via IFrames could quickly become a very serious headache," the F-Secure researchers say.
Hopefully this will happen until October 1, because the company has asked all app developers to acquire SSL certificates and sign their third-party content before that date.
Users should be cautious about account verification requests. While Facebook is known to enforce identity verification for account owners suspected of abuse, the company will never ask users to input their information on pages hosted under apps.facebook.com.