Scams seeking to harvest online credentials have long tried to replicate known logon pages. But this newly found instance is just about perfect.
In every scam that uses social engineering, the key is to be believable. If it looks right, feels right, has the timing right, etc., the victim is more likely to fall for it. This latest scam seeks to take advantage of a user’s desire to leverage single sign-on (SSO) via well-known websites. In this case, Facebook. Rather than creating (and remembering) countless passwords for an equivalently large number of websites, users will take advantage of identifying themselves vis Facebook.
Under normal circumstances, a Facebook API is called which prompts the user to authenticate. But researchers at security vendor Myki have found a website purporting to use Facebook for sign-on, but are instead providing an exact HTML copy of the logon page.
Because the logon occurs via HTML, all credential data passed is made available to the cybercriminals.
This hyper-realistic phishing campaign is all but undetectable. The only guidance Myki can provide is to attempt to drag the popup window outside the webpage window. If it uses the Facebook API, the window cannot be dragged outside the source window. If it is HTML, it exists in a window of its own.
These small nuances in detection highlight how difficult it is for users in organizations to protect themselves from every new phishing attack. Users that have undergone Security Awareness Training are better prepared to spot unusual web and email behavior that should raise suspicion.
We may never be able to fully stop phishing attacks, but by educating users, it’s possible to minimize the attack surface and reduce the likelihood an attack will be successful.