Security researchers at Netcraft spotted a new insidious phishing campaign that leveraged Facebook’s own trusted TLS certificate that is valid for all facebook.com subdomains.
The phishing page is designed to look like a Facebook verification form that is served via the Facebook app platform. This phishing attack works even when the victim in not already logged in. The crooks create an app that serves the phishing page from an external website via an iframe.
“This makes the page appear legitimate, even to many seasoned internet users; however, the verification form is actually served via an iframe from an external site hosted by HostGator. The external website also uses HTTPS to serve the fraudulent content, so no warnings are displayed by the browser.” states the blog post published by Netcraft
The attackers used the HTTPS for the external web site to serve the malicious page, so no warnings are displayed to the victims by their browser.
When victims visit the phishing page, the information they provide are sent back to the attacker’s server.
The researchers at Netcraft noticed that crooks also used another trick to deceive victims; when the victims first submit the information on the phishing page, an error message is displayed to the user that warns of incorrect credentials.
“To win over anyone who remains slightly suspicious, the phishing site always pretends that the first set of submitted credentials were incorrect. A suspicious user might deliberately submit an incorrect username and password in order to test whether the form is legitimate, and the following error message could make them believe that the credentials really are being checked by Facebook.” continues Netcraft.
Once the victims enter the login credentials for the second time, the page displays a message inviting them to wait up to 24 hours for the approval of the submission, just the time to allow attackers to take over the account and use it for a number of fraudulent activities.
An excellent protection against these attacks is the two-step verification implemented by Facebook on its accounts. Facebook also implements a login alerts feature to notify users when their account has been accessed from an unknown device.
(Security Affairs – Facebook Phishing, hacking)