A cybersecurity researcher has shared details of a new phishing campaign with Hack Hex that has been designed to target mobile users. The phishing attack is also based on the idea that a malicious web page could mimic look and feel of the browser window to trick even the most vigilant users into giving away their login credentials to attackers.
Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, demonstrating how attackers can reproduce native iOS behavior, browser URL bar and tab switching animation effects of Safari in a very realistic manner on a web-page to present fake login pages, without actually opening or redirecting users to a new tab.
Phishing Attack Targets Mobile Browser Animation and Design
A malicious website that looks like Airbnb prompts users to authenticate using Facebook login, but upon clicking, the page displays a fake tab switching animation video aimed to trick users into thinking that their browsers are behaving normally.
“The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page,” Jebara said.
“From the moment a user accesses the malicious website, they are manipulated into performing actions that seem legitimate, all with the purpose of building up their confidence to submit their Facebook password at the final stage of the attack.”
If users are not very attentive to details and fail to spot minor differences, they would eventually end up filling the username and password fields on the phishing page, resulting in giving away their social media credentials to the attackers.
“This attack is poorly implemented and contains multiple flaws from both a process and design point of view. Login with Facebook prompts are presented as an external window in Safari, not as an additional tab that the user is switched to, as the origin URL still appears in minimized form over the fake Facebook navigation bar,” Jebara said.
“Although hackers would probably implement this campaign in a more realistic manner, in its current form, a majority of users would fall for this attack, as the details that give it away are relatively subtle, and more importantly, the user is shown specific ‘familiar’ actions that seem to turn off the part of the brain that doubts the legitimacy of the page.”
How to Protect Yourself
Since there are no clear guidelines to spot such creative phishing attacks, users are highly recommended to:
- Use password managers that only auto-fill credentials on legit domains, helping you avoid giving away credentials to fake websites.
- Enable two-factor authentication, wherever available, preventing hackers from accessing your online accounts even if they somehow manage to steal your credentials.
Besides this, Jebara also suggests users ask themselves “Why am I asked to log in?” Or “Am I not already logged in to this?” when hackers try to mimic the logins of popular websites for which you already have an app on your smartphone.