Phishing for Facebook Logins

The Tip

A new phishing attack has surfaced that can easily catch the most diligent of us. It is also fortunately easy to spot, once you’re aware of what to look for.

The Detail

We’ve all been to sites now that offer you the convenience of logging in with your Facebook or Google account. This is a great convenience and can really reduce the number of accounts you might need to have for casual things like news blogs and such. This new attack targets that model that we have become used to. It’s effectiveness is it’s simplicity.
Here’s how it works.

  • Generally when you click on a link to “log in with Facebook” you are either re-directed to Facebook or you get a pop-up window with Facebook’s login screen.
  • In this attack you get a pop-up window that exactly mimics the Facebook pop-up, down to the apparent lock/secure icon and green address bar.
  • You enter your username and password.
  • The login will fail, but the criminals have now captured your Facebook login credentials

How do we protect ourselves from this? Once you know what to look for, it’s actually easy to spot.

  • Try dragging the pop-up window away from the window it is being displayed in
  • If you cannot drag the pop-up away, and it instead disappears beyond the bounds of the parent window, it is a fake. DO NOT USE.

Here is a video demonstrating

If you have more questions about these topics, please contact UTS, and we’d be happy to offer what guidance we can. There is also a wealth of information to be found using your favourite search engine.