In the past, the tabs that could be added to these pages have been set up in two ways: the first used the Facebook Markup Language (FBML) app. This app allowed page tabs to be created using static FBML or HTML. It wasn't particularly engaging, but it was very simple to use.
The second method for creating page tabs was by adding a custom Facebook app embedded inside a standard FBML tab. This approach meant the custom app could request external data from a third party and display it inside the page tab. It worked fine, but the external content was subject to many technical limitations, as it was all proxied through Facebook.
Facebook infrastructure changes
So what is the big deal? Facebook now allows iFrames to be included inside Facebook apps on page tabs, so all that Facebook proxying can be avoided. While this change is probably great news for legitimate developers, it will undoubtedly also make life much easier for those with malicious intent.
These changes to the Facebook page infrastructure mean it is now possible to set up a Facebook page, create a default landing tab — the one you first see when you visit the page — and include an app that contains an iFrame.
Facebook asks its developers to agree to a code of conduct. But when it comes to criminals, that's like taking a driving licence away from a joyrider.
The script has the net effect of redirecting unsuspecting visitors to these compromised sites. The redirection most often leads to pages hosting fake antivirus or servers hosting exploit kits. An exploit kit is designed to seek out vulnerabilities present on the computer that hits the criminal site and use them to install malware silently. This technique is known as a drive-by attack.
Exploit kits are becoming increasingly popular in criminal circles as they are very user-friendly, effective and simple to use. Their primary purpose is to aid in botnet recruitment.
Of course Facebook asks its developers to agree to a code of conduct that prohibits such activities. But when it comes to criminals, that's a bit like taking a driving licence away from a joyrider.