A new phishing campaign is targeting Apple iOS users and could be adapted for Android devices, security researchers have warned. The campaign targeting mobile users leads to a malicious page, prompting the user to authenticate using Facebook social login from a website that looks like Airbnb, researchers at Myki say.
The recent discovery comes after the researchers had already reported a phishing attack based on the concept of being able to reproduce a social login prompt in a very realistic format inside an HTML block.
How does the attack work?
The latest attack works as follows:
Upon clicking the 'Login with Facebook' button, the user is prompted by the OS to confirm their intent to use Facebook to login.
Safari launches a new tab and the user is prompted to authenticate on Facebook.
Despite this appearing legitimate, according to Myki, almost everything is fake. "The prompt to authenticate the action is fake: It is an image displayed within the HTML document that makes it look like an iOS prompt," says Antoine Vincent Jebara, Myki CEO in the blog. "The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in. The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page.”
However, Myki also points out that the attack is “poorly implemented” and “contains multiple flaws from both a process and design point of view”.
For example, says Jebara: “Login with Facebook prompts are presented as an external window in Safari, not as an additional tab that the user is switched to, as the origin URL still appears in minimized form over the fake Facebook navigation bar. This just goes to show how little users know about how software is supposed to behave in specific scenarios.”
However, although hackers would probably implement this campaign in a more realistic way, a majority of users would still fall for this attack in its current form. After all, Jebara points out, the details that give it away are relatively subtle.
The growth of phishing
Phishing attacks have been succeeding for years and one of the reasons for this is, they are simple and effective for hackers to perpetrate. They can also be done at scale, with hackers hoping enough people will fall for them. It comes as security firm Kaspersky released a report showing a huge increase in email phishing. The firm’s anti-phishing system prevented more than 482 million attempts to visit fraudulent web pages during 2018: a two-fold increase on 2017, when 236 million such attempts were blocked. The financial sector was a major target: Over 44% of all phishing attacks detected by Kaspersky Lab technologies were aimed at banks, payment systems and online shops. Meanwhile, 18.32% of unique users encountered phishing.
How do you avoid phishing attacks like this one?
Jebara advises users to learn to be "more sceptical" and to ask questions when prompted to provide any kind of information online.
Kaspersky advises users to check online addresses in unknown or unexpected messagesto make sure they genuine and that the link doesn’t cover another hyperlink. The firm advises: “If you are not sure that the website is genuine and secure, never enter your credentials. If you think that you have may have entered your login and password on a fake page, immediately change your password and call your bank or other payment provider if you think your card details were compromised.”
Always use a secure connection and don’t use unknown or public Wi-Fi without password protection. A VPN is useful, especially if you’re working from locations such as coffee shops.
Of course, it’s also important to ensure you use strong passwords and use two-factor authentication where possible. Password managers are extremely useful and interestingly, these would have protected you from the attack: a password manager that supports iOS 12 Auto-Fill would not have suggested to autofill your Facebook password and this signals a page isn’t legitimate.
