Together, towards a better future

New Phishing Attack That Even Expert User Can Not Tell

1 min read
New Phishing Attack That Even Expert User Can Not Tell

How do you check if a website is fake or real? By checking if the URL is correct? Or you could check if the site is using HTTPS? Or even using software that detect phishing domains?

Like most Internet users, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.

Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, told Hack Hex that his team spotted a new phishing attack campaign “that even the most vigilant users could fall for.”

Vincent found that hackers are already sharing links to blogs and services that prompt visitors to first “login using Facebook account” to read an article or purchase a product.

Login with Facebook is a safe method and is being actively used by a large number of websites to make it easier for visitors to sign up.

How does it work?

When you click on “log in with Facebook” button, you either get redirected to or are served with a new pop-up window, asking you to enter your Facebook credentials so the service can access your profile’s necessary information.

Vincent found that the malicious links are serving users with a realistic-looking fake Facebook login pages after they click the login button which has been designed to capture users’ credentials, just like any phishing site.

Vincent informed us that the fake pop-up login prompt is actually created with HTML and JavaScript, and are perfectly reproduced to look and feel exactly like a legitimate browser window.

Users can also interact with the fake browser window, drag it here-and-there or exit it in the same way.

The only way to protect yourself from this, according to Vincent, “is to actually try to drag the prompt away. If dragging it out fails, it’s a definite sign that the popup is fake.”

It is always recommended to enable two-factor authentication so hackers access to your credentials can’t access your profile.

Get all the latest posts delivered straight to your inbox!
🎉 You've successfully subscribed to Hack Hex!