Going Phishing On A Facebook Apps Page

Going Phishing On A Facebook Apps Page

What is it? A Facebook Phish, lurking on an Apps page.

Why is it a problem? Despite this scam method having been around since at least 2009, many Facebook users may not be aware that scammers can effectively “frame” a phish page hosted elsewhere against a genuine Facebook apps page URL. It may look like the real deal, but all the information entered into the page is being delivered to the scammer via email or form.

Have we reported it to Facebook? Yes, and they were very quick to have the offending apps page taken down.

The apps page in question was located at


and displayed a fake identity verification form hosted at


Fake Facebook login

The page says:

“Login to access the fanpage security center”

and asks for email / phone, password, security question, answer, phone (again) and page name.

Once all of the information has been filled in and the user hits “Log In”, they’re shown the following page:

Check out the section I’ve highlighted in bold text – it’s a fairly common trick to ensure that once you’re phished, you don’t go ruining their day by changing your login before they can get around to hijacking it:

“Thank you for contact Facebook verification team. Your reconfirm of the page will be processed within 24 hours.

Please don’t change your password and other security information until you received an e-mail from us.

If ever you think you’ve fallen for a phish, rest assured that changing your password and associated security information should be right at the top of your to-do list.

Here’s the site hosting the phish as seen outside of the legitimate Facebook apps URL:

Phishing (not) in the frame

Here’s what the apps page looks like since we reported it to Facebook:

App offline.

“The app Verify Your Page is temporarily unavailable due to an issue with its third party developer. We are investigating the situation and we apologize for any inconvenience”

There’s a lot of scams bouncing around on social networks, and users of Facebook are traditionally a hot target. More often than not, the threats involve fake videos and hoax celebrity deaths but it pays to remember that alongside the bogus apps there can also be phony logins lying in wait on those very apps pages. If in doubt, change your login credentials before you find yourself locked out and waiting in a support email queue.

Compromised accounts can be recovered, but it’s a lot more straightforward not to have to jump through those hoops in the first place.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.