Facebook's own TLS cert used by crooks in double logon phish

Netcraft security man Paul Mutton says phishers are using Facebook's TLS certificate to create a 'remarkably convincing' scam that would go unnoticed by most users.

The phish uses an iframe to serve a Facebook verification form, but that form isn't from The Social Network^TM. Instead, the form comes from an external Hostgator site that uses HTTPS and Facebook's certificate.

That combination means browsers don't warn users of the impending danger.

Once users log in from the form in the iframe form, a second fake login form appears claiming that the details into the first fake form were incorrect. Users are prompted to log in again.

A login successful page appears after the user has submitted their details for the second time claiming that the victim will receive a verification approval email within the next 24 hours.

"Fraudsters are abusing Facebook's app platform to carry out some remarkably convincing phishing attacks against Facebook users," Mutton says.

"To win over anyone who remains slightly suspicious, the phishing site always pretends that the first set of submitted credentials were incorrect."

Users should alter their security settings to enable login approvals that ask for two-factor authentication whenever logins occur from unknown origins. ®