قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Behold, the Facebook phishing scam that could even get vigilant users

Behold, the Facebook phishing scam that could even get vigilant users



 This is a phishing scam that can be duplicated even by vigilant users

Phishers are deploying what seems to be a clever new trick to snag people's Facebook passwords by presenting convincing replicas of single sign-on login Windows on malicious sites, researchers said this week.

Single sign-on, or SSO, is a feature that allows people to use their accounts on other sites-typically Facebook, Google, LinkedIn, or Twitter-to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Instead of having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that do not bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the login to happen without the third party site ever seeing the username password

Myki has recently found a site that purported to offer SSO from Facebook. As the video below shows, the login window looked almost identical to the real Facebook SSO. This one, however, did not run on the Facebook API and did not interfere with the social network in any way.

Just add HTML

One of the ingredients that made the login window look so real is that it almost perfectly reproduced what users would see if they were encountering a genuine Facebook SSO, such as the one to the right of this text. The status bar, navigation bar, shadows, and HTTPS-based Facebook address all appear almost exactly the same. The Window presented on the phishing page, however, was rendered using a block of HTML instead of calling an API that opens a real Facebook window. As a result, anything typed into the fake SSO page was funneled directly to the phishers.

While the replica is convincing, there was one easy way that anyone could immediately tell it was a fake. Genuine SSOs from Facebook and Google can be dragged out of the Window of the third-party site without any part of the login prompt disappearing. Portions of the fake SSO, by contrast, disappeared when doing this. Another tell-tale sign for Myki users and users of other password managers was that the autofill feature of the password manager did not work, since contrary to the address shown in the HTML block, the actual URL users were visiting wasn 't from Facebook. More advanced users could almost certainly have spotted the forgery by viewing the source code of the site they were visiting, too

The convincing forgery is another reminder that attacks only get better. It also reaffirms the value of using multi-factor authentication on any site that offers it. A password phishing from a Facebook account that used MFA protection would have been of little use to attackers since they would not have the physical key or smartphone that is required when logging in from a computer that has never accessed the account before. Facebook has more tips for dealing with phishing here


Source link