Facebook Pages: If it ain't broke...

Recent changes to Facebook Pages designed to help developers also aid cybercriminals, says Rik Ferguson
Written by Rik Ferguson, Contributor

Social-networking site Facebook's recent changes have been made with the best of intentions. Unfortunately, they leave the door open to those whose motives are less than honourable, says Rik Ferguson.

Facebook has made some important changes to the way Facebook Pages — the fan pages set up by brands, bands and even cucumbers — can be created.

In the past, the tabs that could be added to these pages have been set up in two ways: the first used the Facebook Markup Language (FBML) app. This app allowed page tabs to be created using static FBML or HTML. It wasn't particularly engaging, but it was very simple to use.

The second method for creating page tabs was by adding a custom Facebook app embedded inside a standard FBML tab. This approach meant the custom app could request external data from a third party and display it inside the page tab. It worked fine, but the external content was subject to many technical limitations, as it was all proxied through Facebook.

Facebook infrastructure changes

That process broke many things, including tracking pixels, JavaScript and Flash. In what looks like an attempt to make Facebook Pages more attractive to web developers, the platform has undergone a few changes.

So what is the big deal? Facebook now allows iFrames to be included inside Facebook apps on page tabs, so all that Facebook proxying can be avoided. While this change is probably great news for legitimate developers, it will undoubtedly also make life much easier for those with malicious intent.

These changes to the Facebook page infrastructure mean it is now possible to set up a Facebook page, create a default landing tab — the one you first see when you visit the page — and include an app that contains an iFrame.

That iFrame can, of course, contain JavaScript that immediately and without user interaction redirects you to any site it chooses. So, for example, it could send you to a page containing fake antivirus or a page where an exploit kit is waiting to infect you silently with malware.

Chain leading to compromised computers

No more need for 'clickjacking' — tricking users into posting a Facebook status update — and no more having to persuade users to install your app. If a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes.

iFrames have long been a favoured tool for cybercriminals. For several years now, iFrames have been injected by criminals into vulnerable legitimate websites that they are able to compromise. The iFrames are coded to be invisible to the naked eye and often contain nothing more than a heavily obfuscated simple JavaScript.

Facebook asks its developers to agree to a code of conduct. But when it comes to criminals, that's like taking a driving licence away from a joyrider.

The script has the net effect of redirecting unsuspecting visitors to these compromised sites. The redirection most often leads to pages hosting fake antivirus or servers hosting exploit kits. An exploit kit is designed to seek out vulnerabilities present on the computer that hits the criminal site and use them to install malware silently. This technique is known as a drive-by attack.

Exploit kits are becoming increasingly popular in criminal circles as they are very user-friendly, effective and simple to use. Their primary purpose is to aid in botnet recruitment.

Of course Facebook asks its developers to agree to a code of conduct that prohibits such activities. But when it comes to criminals, that's a bit like taking a driving licence away from a joyrider.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards