We sometimes see Facebook Apps pages being used for phishing scams, and here’s one that’s been doing the rounds recently:
apps(dot)facebook(dot)com/783348471781894
This apps page served up a website in a frame, which (unusually) changed since we first started looking at it.
Originally, the page claimed to be offering something called “Facebook Mentions”:
Welcome to Facebook Mentions
A new way for public figures to connect with their audiences on Facebook
Email or phone
Password
There is an actual Facebook Mentions app, which is for verified profiles only and aimed at actors, musicians and the like.
After a short time, the link inside the frame was pointed to another URL on the same .info domain:
Please login to continue
The page you are trying to visit requires that you re-login to your account
Password
Note the blue tick, designed to add an air of legitimacy.
Regardless of which start page you kicked things off with, potential victims would end up on the following request for information:
Request a Verified Badge
Facebook Mentions is only available to people with verified pages. To request a verified badge for your page, please fill out this form.
Page URL:
Government issued photo ID or articles of incorporation
Please attach a photo of your ID if you’re a public figure or articles of incorporation of you represent a media, entertainment or sports company
Official Website
If applicable, please provide a link to your official website
….can you say “Ouch”? Once the submit button was clicked, this is what the victim would see:
Thank you for contacting Facebook
You should receive an email response shortly. You may need to respond to it before we can assist you further
We never received an email so we can’t tell you what the next step would have been, but you should not be handing over a Government issued ID (or anything else, for that matter) alongside your Facebook login credentials.
The page hosting the Phish is in a frame, which you can pop open to take a closer peek at. A right click, “This Frame” and “Show page in new tab” would do the trick:
From here, we can see the URL the phish is hosted on which lets us confirm that we’re definitely not on Facebook.com (it’s possible that the .info URL has been stolen from the original owners and turned into a phish, however). One interesting thing to note – typically a phish page is not a HTTPS connection, which is a sure sign that some funny business is taking place. However, this page is indeed HTTPS and a good reminder that the presence of an (S) is not a guarantee that the page is genuine:
We reported the Apps page to contacts at Facebook, and it was taken down quickly:
The appeal of being “Verified” on Social Media sites is strong, and some may be tempted to just send information to the first offer of validation that comes along. You’re better off waiting for customer support to get back to you and advise on the offer you appear to be faced with – a few days wait is infinitely preferable to firing out personal ID to scammers. Once you’ve hit send, there’s no getting it back.
Christopher Boyd
