Phishing Attacks Take A New and Scary Approach

Let’s be honest…managing all your online passwords is a big headache.

I write about this stuff and yet I still struggle to use best practices in password management. Sometimes, it’s just easier to click the pop-up box that says, “Log-in with Facebook Credentials.”

That’s one’s not tough. I can remember that one password, right?

And while it seems like it’s a safe way to save time and effort, and it usually is, hackers are once again exploiting our human propensity to move towards “easy” and are using it against us.

So, what is the correct protocol to check if a website asking for your credentials is fake or legitimate to log in?

Generally, I double check if the URL is correct.Then I look for the little lock to make sure the site is using HTTPS.

I personally don’t have any extra software or browser extensions that detect phishing domains like some of my more purist engineer friends. Generally I try and stay off questionalble sites and then pray a little security blessing before I log in.

If you, like me, are depending on basic security practices (internet prayers excluded) to spot if the “Facebook.com” or “Google.com” you have been served with is fraudulent, you may still fall victim to a new and highly creative phishing attack that will end with your password in the hackers hands.

Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, recently uncovered a new phishing attack campaign “that even the most vigilant users could fall for.”

Vincent discovered that cybercriminals are distributing links to blogs and services that prompt visitors to first “login using Facebook account” to read an exclusive article or purchase a discounted product.

That’s usually an ok thing. Logging in with Facebook is a safe method and is being used by a large number of websites to make it easier for visitors to sign up for a third-party service quickly.

Generally, when you click “log in with Facebook” button available on any website, you either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information.

It was safe, until now…because now there are fake pop-ups.

According to Vincent, the fake pop-up login prompt, actually created with HTML and JavaScript, are perfectly reproduced to look and feel exactly like a legitimate browser window—a status bar, navigation bar, shadows and URL to the Facebook website with green lock pad indicating a valid HTTPS.

And unfortunately, it looks very real.

Users can interact with the fake browser window, drag it here-and-there or exit it in the same way any legitimate window acts.The only way to protect yourself from this type of phishing attack, according to Vincent, “is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”

So how do you protect yourself?

1. First of all, enable two-factor authentication with every possible service, preventing hackers from accessing your online accounts if they somehow manage to get your credentials.
2. Take the time to log in, dust off that password manager and invest a few extra minutes in online security.
3. Drag the pop-up like Vincent suggests. Do a little dance with it on your screen and see what happens. If it doesn’t act right do not log in. 

If taking a little more time means you don’t get your password compromised, then maybe its worth the effort. I’m preaching to myself here too!

Stay safe—Samantha

If you need assistance with your business network security needs, give DarkHound SecOps a call at…or contact us at [email protected].