We sometimes see Facebook Apps pages being used for phishing scams, and here’s one that’s been doing the rounds recently:

apps(dot)facebook(dot)com/783348471781894

This apps page served up a website in a frame, which (unusually) changed since we first started looking at it.

Originally, the page claimed to be offering something called “Facebook Mentions”:

Facebook mentions

Welcome to Facebook Mentions

A new way for public figures to connect with their audiences on Facebook

Email or phone

Password

 

There is an actual Facebook Mentions app, which is for verified profiles only and aimed at actors, musicians and the like.

After a short time, the link inside the frame was pointed to another URL on the same .info domain:

Log in again...

Please login to continue

The page you are trying to visit requires that you re-login to your account

Email

Password

 

Note the blue tick, designed to add an air of legitimacy.

Regardless of which start page you kicked things off with, potential victims would end up on the following request for information:

Upload your ID?

Request a Verified Badge

Facebook Mentions is only available to people with verified pages. To request a verified badge for your page, please fill out this form.

Page URL:

Government issued photo ID or articles of incorporation

Please attach a photo of your ID if you’re a public figure or articles of incorporation of you represent a media, entertainment or sports company

Official Website

If applicable, please provide a link to your official website

 

….can you say “Ouch”? Once the submit button was clicked, this is what the victim would see:

Thank you for contacting Facebook...

Thank you for contacting Facebook

You should receive an email response shortly. You may need to respond to it before we can assist you further

We never received an email so we can’t tell you what the next step would have been, but you should not be handing over a Government issued ID (or anything else, for that matter) alongside your Facebook login credentials.

The page hosting the Phish is in a frame, which you can pop open to take a closer peek at. A right click, “This Frame” and “Show page in new tab” would do the trick:

Opening in a new tab

From here, we can see the URL the phish is hosted on which lets us confirm that we’re definitely not on Facebook.com (it’s possible that the .info URL has been stolen from the original owners and turned into a phish, however). One interesting thing to note – typically a phish page is not a HTTPS connection, which is a sure sign that some funny business is taking place. However, this page is indeed HTTPS and a good reminder that the presence of an (S) is not a guarantee that the page is genuine:

A HTTPS page...

We reported the Apps page to contacts at Facebook, and it was taken down quickly:

Page down

The appeal of being “Verified” on Social Media sites is strong, and some may be tempted to just send information to the first offer of validation that comes along. You’re better off waiting for customer support to get back to you and advise on the offer you appear to be faced with – a few days wait is infinitely preferable to firing out personal ID to scammers. Once you’ve hit send, there’s no getting it back.

Christopher Boyd