Recently, at Websense Security Labs, we have seen Facebook being used to display phishing pages for different services, as well as to redirect to phishing pages hosted elsewhere. Below are two examples of what the phishing attempts look like:

The first email message appears to come from Facebook Security, and requests that users confirm their account. This is just like other phishing attacks we see every day. The twist here is that the phishing page itself gets loaded from within the Facebook site using an iframe. This makes it look much more legitimate than a site hosted on another domain.

The second message is similar, but there's another URL towards the end. Clicking the link sends the user to www.facebook.com, where a script redirects the user to another Web site that contains the phishing page.

Both of these attacks make it harder for the user to spot the malicious content directly from the email. Both messages do point to a valid Facebook URL. In addition, the inclusion of valid Facebook URLs makes protecting users somewhat harder for anti-spam solutions and Web filtering products that rely on heavily URL filtering to classify content.

Below is a video of both attacks in action. The video also shows a variant that looks like a Zynga account notification, also hosted in part by Facebook. Our customers have been protected against this threat by ACE, our Advanced Classification Engine.