Login credentials is probably the most valued sensitive information on the web. And here, phishing scammers are doing all they can to get their hands on those.
One attempt was discovered by password manager service Myki. When trying to analyze a falsely reported bug on its Auto-Fill functionality, it discovered a phishing campaign that "even the most vigilant users could fall for."
Here, scammers are deploying what seems to be a trick to steal people's Facebook login credentials by presenting convincing replicas of single sign-on (SSO) login windows on malicious websites, the researchers said.
"The attack is based on the concept of being able to reproduce a social login prompt in a very realistic format inside an HTML block," said Myki.
Phishing prevention guidelines advise users to always check the URL and look out for an "HTTPS".
But in this case, the method doesn't help because all the content is generated in HTML and can be manipulated in a very realistic manner.
In the video below, the malicious login window looked almost identical to the real Facebook SSO.
What makes this login window so real is that it almost perfectly reproduced what users would expect when they see a real Facebook SSO.
From the convincing status bar, navigation bar, shadows, and HTTPS-based Facebook address, the scammers somehow made them all appear almost identical to the real thing.
However, the window presented on the phishing page was rendered using a block of HTML, rather than by calling an API that opens a real Facebook window. So here, anything typed into forms at the fake SSO page will be sent directly to the scammers.
While the design is certainly convincing, there are several ways to tell it is a fake.
The real Facebook SSO can be dragged outside of the window of the third-party site without any part of the login prompt disappearing. On the fake SSO page however, the window disappears when doing this.
"If dragging it out fails (part of the popup disappears beyond the edge of the window), it's a definite sign that the popup is fake," said Myki.
For Myki users, they can also tell the fake and the real SSO apart by using its password managers. Myki Auto-Fill functionality doesn't work on the fake one, since contrary to the address showing in the HTML block, the actual URL the users were visiting wasn’t from Facebook.
For users with coding experience, they can also spot the forgery by viewing the site's source code.
Single sign-on, or SSO, is a feature that allows people to use their accounts (typically Facebook, Google, Twitter, or LinkedIn) to login into other websites.
SSO is primarily designed to make things easier for both end users and websites. Rather than having users create a new account and fill all the presented forms, and to also remember their login credentials for the numerous third-party sites they use, they can simply use a single login for all sites.
As for the websites, supporting users in signing up and signing in using SSO, means that they won't be bothered by the tedious attempt of securing password-based authentication systems and database. This is because the security and cryptographic mechanisms used by Facebook and others allow users to login without the third-party ever know the username and password.
And as for this Facebook SSO forgery, this is a very convincing move by scammers, and a reminder to all web users that cyberattacks are just getting smarter.
It also highlights the value of using multi-factor authentication on any online services that offers it.
Using multi-factor authentication on Facebook would make the stolen user credentials useless to the scammers, because they don't have the physical key or smartphone required to log in from a computer that has never accessed the account before.
Here are some more tips from Facebook for dealing with phishing.