Malwarebytes researcher Chris Boyd came across the scam after being given a heads up by a friend, and gave SCMagazineUK.com a detailed breakdown.
The scam essentially sees the scammer “frame” a phish page as a genuine Facebook Apps page with its own Facebook URL. But the page is actually hosted elsewhere and, as such, delivers all entered data – which includes email addresses, phone numbers, passwords, security question answer to the scammer via email or form.
Once all the information has been entered, the user hits “Log in” on the Verify Your Page App but the scammer – in a bid to get enough time to exfilitrate the user credentials – issues the following message:
"Thank you for contact Facebook verification team. Your reconfirm of the page will be processed within 24 hours. Please don't change your password and other security information until you received an e-mail from us."
Boyd told SCMagazineUK.com that this type of attack, while used by spammers since 2009, is rare.
“This particular scam dates back to 2009 – but it's not that common. I've seen instances of this in 2009, 2011, once in 2012 and 2013 – which was the Facebook appeal verification. Scammers don't really go for this as much as they could.”
Boyd added that as soon as scammers have harvested Facebook credentials, they could go on to attack email and other services by trying the same passwords (“this could very quickly spiral out of control”), but praised Facebook – which has now removed the application – for making improving security measures.
“Facebook do remove a lot of scam pages; it is hugely popular for hoaxes and fake apps,” he said.
“Social networks are an awful lot better [for security] than they were six to seven years ago. Back then, we security researchers didn't have contact with them – they didn't want to speak to us.” Boyd added that spam attacks on Google+ and LinkedIn are relatively small by comparison, and said that Twitter scams are more obvious to end users.
“For cyber criminals, there are more things to do on Facebook. There are always more potential threats and scams.”
Facebook, which offers bounties to developers to fix bugs, has had more serious scares in the past, not least when six million members were infected by a bug which sent private information onto profiles of those using the Download My Information Tool. This, though, appears to be the latest examples that most scammers are attacking the social network from inside the perimeter.
“Social media channels are a big potential target for phishing and information theft – creating a fake Facebook App landing page is a new approach to tricking people out of giving up their credentials,” said OneLogin EMEA sales director Dan Power on hearing the news.
“The risk around this is that many people are now using Facebook as their credential in to other social services as well. People should steer clear of logging into Facebook through any link in their email – open the mobile app or webpage instead manually.
Sian John, security strategist at Symantec, told SC that phishers are experimenting with social media websites, and are often looking to seek financial gain.
“Social media is a common target for phishers for the purposes of identity theft. They are trying everything they can to improve their chances of harvesting user credentials and are known for experimenting with a variety of fake social media applications in a move to lure users.
“We're also seeing that phishers are now seeking financial gain from social networking phishing sites, for example requesting financial information as a requirement to improving user security.”