Let’s be honest…managing all your online passwords is a big headache.
I write about this stuff and yet I still struggle to use best practices in password management. Sometimes, it’s just easier to click the pop-up box that says, “Log-in with Facebook Credentials.”
That’s one’s not tough. I can remember that one password, right?
And while it seems like it’s a safe way to save time and effort, and it usually is, hackers are once again exploiting our human propensity to move towards “easy” and are using it against us.
So, what is the correct protocol to check if a website asking for your credentials is fake or legitimate to log in?
Generally, I double check if the URL is correct.Then I look for the little lock to make sure the site is using HTTPS.
I personally don’t have any extra software or browser extensions that detect phishing domains like some of my more purist engineer friends. Generally I try and stay off questionalble sites and then pray a little security blessing before I log in.
If you, like me, are depending on basic security practices (internet prayers excluded) to spot if the “Facebook.com” or “Google.com” you have been served with is fraudulent, you may still fall victim to a new and highly creative phishing attack that will end with your password in the hackers hands.
Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, recently uncovered a new phishing attack campaign “that even the most vigilant users could fall for.”
Vincent discovered that cybercriminals are distributing links to blogs and services that prompt visitors to first “login using Facebook account” to read an exclusive article or purchase a discounted product.
That’s usually an ok thing. Logging in with Facebook is a safe method and is being used by a large number of websites to make it easier for visitors to sign up for a third-party service quickly.
Generally, when you click “log in with Facebook” button available on any website, you either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information.
It was safe, until now…because now there are fake pop-ups.
According to Vincent, the fake pop-up login prompt, actually created with HTML and JavaScript, are perfectly reproduced to look and feel exactly like a legitimate browser window—a status bar, navigation bar, shadows and URL to the Facebook website with green lock pad indicating a valid HTTPS.
And unfortunately, it looks very real.
Users can interact with the fake browser window, drag it here-and-there or exit it in the same way any legitimate window acts.The only way to protect yourself from this type of phishing attack, according to Vincent, “is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”
So how do you protect yourself?
If taking a little more time means you don’t get your password compromised, then maybe its worth the effort. I’m preaching to myself here too!
Stay safe—Samantha
If you need assistance with your business network security needs, give DarkHound SecOps a call at…or contact us at [email protected].