Facebook being subverted for phishing attacks and open redirects

In one example identified by the firm, an email message appears to come from Facebook Security, and requests that users confirm their account.

This, says Patrik Runald, an senior manager of security research with Websense, is just like other phishing attacks we see every day, but with the twist that the phishing page itself gets loaded from within the Facebook site using an iframe.

Using this approach, he noted in his security blog, "makes it look much more legitimate than a site hosted on another domain".

In a second example, Runald says there is a URL at the end of the phishing email that sends the user to www.facebook.com, where a script redirects the user to another website that contains the phishing page.

"Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL", he said.

"In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heav[y] URL filtering to classify content", he added.

Runald has also posted an interesting video on YouTube showing a variant that appears to be a Zynga account notification, also hosted in part by Facebook.

What’s Hot on Infosecurity Magazine?