A new phishing attack bent on stealing Facebook credentials has been spotted – and it’s turning researchers’ heads due to how well it hides its malicious intent.
Researchers with password management company Myki on Thursday said that attack reproduces a social login prompt in a “very realistic format” inside an HTML block. That block is embedded on a malicious website that victims must first be convinced to visit.
“We would like to raise awareness on the issue as quickly as possible, due to how realistic and deceptively convincing the campaign is,” Antoine Vincent Jebara, co-founder and CEO of Myki, said in an analysis of the scam.
Jebara investigated the scam after Myki password manager users started complaining that the manager was not auto-filling passwords on specific websites for popular domains. “Our investigation led us to suspect that these users might have visited a similar kind of phishing sites,” he said.
A bad actor was able to design a very realistic-looking social login popup prompt in HTML. The status bar, navigation bar, shadows and content were perfectly reproduced to look exactly like a legitimate login prompt.
When a victim visits a malicious website (which an attacker could somehow convince them to visit, using social engineering tactics or otherwise), they would be prompted to log into their Facebook account via a false login prompt.
In a video demo outlined by researchers (see below) they showed a popup that appeared when they were trying to read an article on a site purporting to be The News Weekly Journal, which says “Login with Facebook to access the article.”
Researchers noted that the pop-up looks realistic to the point where users can interact with it, drag it and dismiss it the same way they would a legitimate prompt.
Once they fill out their username and password, that information is sent to the attacker, Jebara said.
“The only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in,” he said. “If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”
In general, as a precaution users should always drag popups away from their initial position to spot for abnormal behavior, he said.
“Most password managers are not sensitive to this kind of phishing attack as they look at the window URL to determine what password to auto-fill which in this case is not facebook.com,” according to the researchers.
According to a recent Proofpoint “State of the Phish” report, 83 percent of respondents experienced phishing attacks in 2018 – up 5 percent from 2017. That may not come as a surprise. In just the last year phishing has led to several massive hacks – whether it’s hijacking Spotify users’ accounts or large data breaches like the December San Diego Unified School District breach of 500,000.