Phishers exploit Facebook features

Phishing e-mails supposedly coming from the Facebook Security Team with account deactivation warnings have been hitting inboxes around the world.

The targeted users are led to believe that their account will be deactivated within the next 24 hours if they don’t “confirm” the account by following the offered link and entering their Facebook login credentials into the phishing page that – according to Websense researchers – “gets loaded from within the Facebook site using an iframe.”

The second variant of the e-mail is similar, but the offered “re-confirmation” link sends the victim to and URL on the facebook.com domain, where a script performs a redirection to the phishing page.

Setting aside the obvious lousy spelling and badly formed sentences that should point the potential victim to the fact that these e-mails don’t actually come from Facebook, the offered link could reassure some of them since they are valid Facebook URLs – and help the e-mails evade some anti-spam filters.

In both cases, the scammers have abused Facebook features to mount the attacks. The social network’s platform allows the loading of content from third party servers via iframes and employs open redirect scripts to pass all of its requests to outside URLs – things that it can’t do without if it wants to keep offering to its users all they are accustomed to.