<<< NEWS FROM THE LAB - Friday, July 1, 2011 >>> ARCHIVES | SEARCH Facebook Apps IFrame Flaw Used For Phishing Posted by Sean @ 18:59 GMT Yesterday's post made note of a spammer that has figured out a way to embed his Cost Per Action (CPA) surveys into a Facebook application at apps.facebook.com.



An observant reader called Matthew wrote to inform us of a phishing attack that uses the very same technique.



The phisher's form fits seamlessly into facebook.com:







Fortunately, this still appears to be in the early stages, and the statistics indicate it isn't widespread.







Department of Facebook Security? Cute.



An IFrame on the app's page is the source of the problem:







Not the application.php page, but the app's page. (We're not sure what it's called… the page one ends up on if the "Go to App" button is clicked.)



The IFrame is loaded from a compromised website, which appears to be a clothing webshop, It's hosted in Indonesia.







We attempted to fill out the phishing form, at the source, with some bogus information, and got this prompt:







The form appears to be testing the details when entered.



The website also discourages right-clicking.







There doesn't appear to be much talk of this on Facebook. It could be that phishing links are being e-mailed to potential victims.



Here's the one example we found:







Facebook introduced IFrames to applications several months ago. Trend's Rik Ferguson blogged about the issue in February.



David F. Carr at InformationWeek wrote Facebook iFrames: Good For Business, Bad For Security? on March 21st.



And now it looks as if the issue may finally need to be addressed. Hosting spam, phishing and malware on facebook.com via IFrames could quickly become a very serious headache.



We been in contact with Facebook' security team and they're looking into the issue.



Updated to add on July 4th: Facebook's security team blocked the apps shortly after we made contact with them.



Meanwhile, yesterday, Sophos "security chap" Graham Cluley blogged about additional versions.



• apps.facebook.com/account_suport_help/

• apps.facebook.com/account-disable-info/



Facebook has blocked these as well.







When we went to examine the "suport" URL, we accidentally typed two "p"s instead of one, and discovered yet another phishing app.



• apps.facebook.com/account_support_help/



The Facebook app is online, but the IFrame is obsolete, and the phishing site component is not active.



Could be more of these lurking about, take care.









