Behold, the Facebook phishing scam that could dupe even vigilant users
Phishers are deploying what appears to be a clever new trick to snag peoples Facebook passwords by presenting convincing replicas of single sign-on login windows on malicious sites, researchers said this week.
Websites that dont want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the login to happen without the third-party site ever seeing the username and password.
EnlargeOne of the ingredients that made the login window look so real is that it almost perfectly reproduced what users would see if they were encountering a genuine Facebook SSO, such as the one to the right of this text.
Genuine SSOs from Facebook and Google can be dragged outside of the window of the third-party site without any part of the login prompt disappearing.
More advanced users almost certainly could have spotted the forgery by viewing the source code of the site they were visiting, too.
A password phished from a Facebook account that used MFA protection would have been of little use to attackers since they wouldnt have had the physical key or smartphone thats required when logging in from a computer that has never accessed the account before.
We use cookies and analyse traffic to this site. By continuing to use this site, closing this banner, or clicking "I Agree", you agree to the use of cookies. Read our privacy poplicy for more information.