A new phishing campaign is targeting Apple iOS users and could be adapted for Android devices. The campaign targeting mobile users leads to a malicious page, prompting the user to authenticate using Facebook social login.
How does the attack work?
The latest attack works as follows:
Upon clicking the ‘Login with Facebook’ button, the user is prompted by the OS to confirm their intent to use Facebook to login.
Safari launches a new tab and the user is prompted to authenticate on Facebook.
Despite this appearing legitimate, almost everything is fake. The prompt to authenticate the action is fake and the tab switching in Safari is also fake. It is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in. The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page.
However, the attack is “poorly implemented” and contains flaws from both a process and design point of view. For example, Login with Facebook prompts are presented as an external window in Safari, not as an additional tab that the user is switched to. This just goes to show how little users know about how software is supposed to behave in specific scenarios. Although hackers would probably implement this campaign in a more realistic way, a majority of users would still fall for this attack in its current form, because the details that give it away are relatively subtle.
The growth of phishing
Phishing attacks have been succeeding for years and one of the reasons for this is, they are simple and effective for hackers to perpetrate. They can also be done at scale, with hackers hoping enough people will fall for them. The financial sector was a major target: Over 44% of all phishing attacks detected were aimed at banks, payment systems and online shops. Meanwhile, 18.32% of unique users encountered phishing.
How do you avoid phishing attacks like this one?
- Users should learn to be more skeptical and ask questions when prompted to provide any kind of information online.
- Check online addresses in unknown or unexpected messages to make sure they are genuine.
- If you are not sure if the website is genuine and secure, never enter your credentials.
- If you think that you may have entered your login and password on a fake page, immediately change your password and call your bank or other payment provider if you think your card details were compromised.
- Always use a secure connection and don’t use unknown or public Wi-Fi without password protection. A VPN is useful, especially if you’re working from locations such as coffee shops.
- Use strong passwords and use two-factor authentication where possible.
If you have any questions about cybersecurity and ways to keep your data safe, don’t hesitate to give our office a call.