This week Facebook announced it has reached 1.65 billion users. At the same time, a new phishing scam has been discovered that targets Facebook users and attempts to steal their login credentials. The scam inserts a fake website window known as an iframe inside the real Facebook site, prompting users to re-enter their username and password under the guise of a “Facebook Page Verification.” 

An iframe is a document embedded inside a website which can insert contents from another online source. According to researchers at NetCraft, the source of this iframe is outside of Facebook, allowing attackers to collect user information through the fake form. Phishing scams involve cybercriminals who attempt to acquire sensitive information by posing as a trustworthy entity such as a social network. While there has been no mention of how users are being directed to this fake page within Facebook, the likely source would be through email links or through links sent by compromised Facebook accounts. 

The information targeted in this phishing attack includes the user’s email, phone number, password, security question and answer used to log in to a Facebook account. In addition to embedding a very convincing Facebook-style prompt within Facebook’s own pages, this phishing attack forces users to enter their information twice, giving them an error message the first time they enter their credentials. This ensures that if users suspect a phishing attempt and enter fake credentials, they’ll be reassured the prompt is legitimate. Additionally, this lets the cybercriminals verify the stolen credentials by forcing users to provide them twice. According to security researchers at NetCraft, “This phishing attack works regardless of whether the victim is already logged in, so there is little chance of a victim being suspicious of being asked to log in twice in immediate succession."