November 29, 2010

Facebook used for phishing attacks and open redirects

Patrik Runald

Recently, at Websense Security Labs, we have seen Facebook being used to display phishing pages for different services, as well as to redirect to phishing pages hosted elsewhere. Below are two examples of what the phishing attempts look like: 


The first email message appears to come from Facebook Security, and requests that users confirm their account. This is just like other phishing attacks we see every day. The twist here is that the phishing page itself gets loaded from within the Facebook site using an iframe. This makes it look much more legitimate than a site hosted on another domain. 


The second message is similar, but there's another URL towards the end. Clicking the link sends the user towww.facebook.com, where a script redirects the user to another Web site that contains the phishing page. 

Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL. In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heavily URL filtering to classify content. 

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.