Password management company Myki announced on Thursday that it had spotted a “deceptively convincing” phishing campaign that very accurately reproduces Facebook’s login prompt. The attack is so well crafted according to the blog that “ even the most vigilant users could fall for.”
Researchers at Myki began their investigation after the company started receiving reports from Myki password manager users complaining of a bug in the Myki Auto-Fill functionality. The manager was simply not auto-filling passwords on specific websites for popular domains, the users had noted. “Our investigation led us to suspect that these users might have visited a similar kind of phishing sites,” said Antoine Vincent Jebara, co-founder and CEO of Myki.
In the analysis of the scam, Jebara notes that so-far unknown malicious actors were able to reproduce a very realistic-looking social login pop-up prompt in HTML. The prompt is so well crafted that its content, the status and navigation bars, and even the shadows look indistinguishable from legitimate login prompt.
The Myki blog includes a video example of the scam, in it, we see a site posing as The News Weekly Journal prompting users to “Login with Facebook to access the article.” Users can interact with the pop-up, drag it or dismiss it as if it were a legitimate prompt.
How to Spot It
According to Jebara, “the only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”
This, in fact, is a good rule of thumb to follow when one suspects a site to be malicious. You should always drag popups away from their initial position. If you spot any abnormal behavior, then that might be targeted by a phishing scam.
Jebara also noted that “most password managers are not sensitive to this kind of phishing attack as they look at the window URL to determine what password to auto-fill which in this case is not facebook.com.”
In the arms race between scammers and security experts, phishing attacks are constantly evolving. As of late, we’ve seen some pretty sophisticated disguises, including the use of Google Translate to mask the attack.