Apple iPhone users might be at the risk of losing their sensitive data to a phishing scam that is doing rounds on Facebook
Security experts have warned that a new phishing campaign is attacking Apple device users and could be modified for Android users, Forbes has reported. The latest campaign aimed at mobile users leads to a mischievous page, asking the user to verify with Facebook credentials on a website which is similar to Airbnb, researchers at Myki said in the report.
The latest discovery comes after the security researchers had previously told of a phishing attack based on a similar concept that allows reproduction of a social login prompt in a seemingly original format inside of an HTML block.
How does the targeting work?
- When users click the ‘Login with Facebook’, the OS prompts them to give their consent to use Facebook to login.
- Safari pops open a new tab, prompting the user to validate on Facebook.
- Despite looking authentic, as per Myki, pretty much everything is a forgery.
“The prompt to authenticate the action is fake: It is an image displayed within the HTML document that makes it look like an iOS prompt,” Myki CEO Antoine Vincent Jebara wrote in his blog.
The Myki CEO continues, “The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in. The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page.”
Myki, however, notes that the targeting is “poorly implemented” and “multiple flaws from both design point of view and a process” can be spotted.
Jebara also gives an example, saying that prompts on logging in with Facebook are shown as an external window in Safari browser, but not as an additional tab that the user is moved to because the original URL still shows up in a minimized form over the forged Facebook navigation bar.
Jebara rues, “This just goes to show how little users know about how software is supposed to behave in specific scenarios.”
Nonetheless, it is safe to assume hackers would probably roll out the phishing campaign in a more realistic format, however, it is also true that most of the users are still susceptible to fall for this attack in its present form. After all, the Myki CEO notes that the details that give it away are quite subtle.
How to avoid phishing attacks such as this?
Myki CEO Jebara goes on to say that users should learn to be “more sceptical” and ask questions when they are asked for any information online.
Kaspersky, Forbes says in its report, advises users to keep a check on online addresses in unexpected or unknown messages to ensure that they are genuine and that the link is not covering another hyperlink.
“If you are not sure that the website is genuine and secure, never enter your credentials. If you think that you have may have entered your login and password on a fake page, immediately change your password and call your bank or other payment providers if you think your card details were compromised,” Forbes quotes Kaspersky on its advice.
Be sure to use a secure connection and not use unknown or public Wi-Fi without password protection. A VPN can be quite useful, particularly if you’re sitting at locations like coffee shops.
The usual about strong passwords and two-factor authentication is still advised strongly. One could use password managers as they protect you from the possible attack. Please note that a password manager that runs iOS 12 Auto-Fill would probably not suggest to autofill your Facebook password and this is an indication that a page is not authentic.