Facebook Application Page Used For Phishing Scam?

| | Comments (1)
When you're looking into dubious activities online, you don't always catch bad guys in the act - every now and again, you get there a little too late and have to put the pieces together as best you can.

I'd heard rumblings of people using Facebook application pages in weird and not so wonderful ways, but hadn't actually seen it in action. Digging around, I was somewhat surprised to see the following greeting me on a Facebook application page for something called "Customer Dispute":

facephish1.jpg
Click to Enlarge

As you can see, something is very wrong here - there's a valid Facebook URL:

apps.facebook.com/customer_dispute/

...but instead of a standard Facebook application install screen under the URL as you'd expect, the entire content is taken up by a "Page not found" message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).

A quick Google for this "Customer Dispute" page and from a hacking forum we see...

facephish30.jpg

..."New form of Facebook phishing"? Oh dear.

It seems someone set up an application developer account with Facebook, placed a fake "customer dispute page" onto their Ripway hosting, which they were somehow able to post onto their Application page and start directing Facebook users to it.

I don't know about you, but people are always complaining about something on Facebook - throw in a fake "dispute" page onto an actual Facebook URL and you're probably going to see stolen accounts roll in 24/7.

I was dying to know exactly what form the fake Customer Dispute page took, but the person responsible had obviously developed cold feet and pulled it. We notified both Ripway and Facebook, and also asked if they could enlighten us exactly what the content of the fake page was before whoever uploaded it took it down.

Ripway quickly closed the account of the uploader:

facephish007.jpg

The thread on the hacking forum magically vanished, presumably because the creator didn't want evidence lying around the net tying it back to him:

facephish707.jpg

Facebook (to their credit) reacted quickly - the dubious application URL now looks like this, which is a genuine "not found" page from Facebook with links that direct you back to the main site:

facephish601.jpg
Click to Enlarge

.....a lot better than "phony content goes here".

I'm not naive enough to have actually expected either company to get back to me, but it would have been useful in knowing what we're dealing with here. While I can appreciate Facebook aren't going to go yelling about this scam from the rooftops if they can help it, they surely have a responsibility to at least warn their users that people are doing something very dubious with Application pages. Of course, it makes it harder for myself to warn you with specifics with regards the exact content of the page that was removed too.

At this point, all I can say is that

1) It seems very likely (based on both the comments posted to that hacking forum and elsewhere) that it was indeed some kind of phony customer dispute phish plastered onto the application page. The exact form that this page took is currently up for debate.

2) If one person has done this, it's entirely possible others have - with that in mind, if you see an

apps.facebook.com

URL, but NO application - then be wary, especially if it's asking you to enter login details (Facebook credentials would, of course, be the obvious target). Otherwise you might end up with a clear case of Two Point Doh...

1 Comments

Just as a note, Chris, in case you weren't aware: You can create Facebook application pages which don't require an install first. Such pages do not have access to a user's profile data. They're meant to allow users to try at least the basic features of an application before authorizing it on their account.

Of course, since the application code was offline when you tried to load the application, it's unclear whether the app requested an install first or not.

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on August 17, 2009 8:41 AM.

Fake Windows 7 Serial Generators was the previous entry in this blog.

Two Facebook Threats In One Day... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.