In what seems to be a spin-off of the hyper-realistic phishing campaign that we covered last month, researchers at Myki have noticed a new Facebook phishing campaign that targets mobile users this time. While only iOS devices are targeted right now, porting the whole scheme to Android would be trivial work for the malicious actors. The main point of the campaign is to trick users into inputting their Facebook login credentials in a legit-looking login screen, following a series of well-thought and perfectly implemented browser transition effects that can fool even the most experienced.
New @facebook phishing campaign on mobile that mimics native iOS behavior. Story with video demo in link below: https://t.co/UKLMZBR02J #phishing #facebook #iOS
— Antoine Jebara (@JebaraAntoine) March 11, 2019
According to revelations made by Antoine Vincent Jebara, the CEO of Myki, simulating iOS actions in this phishing campaign is done with unprecedented attention to detail, with the tab switching animation acting as the spearhead on that part. The phishing actors use mimicked websites to trick users into believing that they will log in to that platform by authenticating themselves on Facebook. In the following example video, the phishing webpage is a fake AirBnB site that asks the victim to log in through Facebook. All of the emulation steps maintain a high faithfulness level, resulting in the gradual generation of user trust.
While this campaign looks realistic and can indeed result in fooling even experienced users, Jebara points out a few flaws that cautious people would have caught. “This attack is poorly implemented and contains multiple flaws from both a process and design point of view. Login with Facebook prompts are presented as an external window in Safari, not as an additional tab that the user is switched to, as the origin URL still appears in minimized form over the fake Facebook navigation bar. Although hackers would probably implement this campaign in a more realistic manner, in its current form, a majority of users would fall for this attack, as the details that give it away are relatively subtle, and more importantly, the user is shown specific 'familiar' actions that seem to turn off the part of the brain that doubts the legitimacy of the page.”
Even if someone didn’t notice any of the above, common phishing-protection methods such as using two-factor authentication or a password manager would secure users against it. If you are looking for a solid password manager that will keep you safe when on the go, check out our list with the best password managers to consider, as several offer an Android and iOS version as well. Other than that, stay calm, never act hastily when apps or websites ask for your login credentials, and always check for the common signs before you input anything.
How do you protect yourself from phishing actors in Android or iOS? Share your method in the comments section below, or with the online community on our socials, on Facebook and Twitter.