DANGER - A new phishing attack has been discovered!
How do you verify if a website that is requesting your information is false or legitimate to log in?
-
Verifying if the URL is correct?
-
Checking if the site is using HTTPS?
-
Or using software or browser extensions that detect phishing domains?
Well, if you, like most users, are also relying on basic security practices to identify whether sites like "Facebook.com" or "Google.com" are fake or not, you may still be the victim of a newly discovered creative phishing attack and end up giving your passwords to hackers.
Antoine Vincent Jebara, co-founder and CEO of Myki password management software, told The Hacker News that his team recently detected a new campaign of phishing attacks "in which even the most prepared users could be impacted".
Vincent found that cybercriminals are distributing links to blogs and services that cause visitors to log in using their Facebook accounts to read an exclusive article or purchase a low-priced product.
Signing up with Facebook or any other social media service is a safe method and is being used by a large number of websites to make it easier for visitors to sign up quickly for a third-party service. Usually, when you click the "sign in with Facebook" button available on any website, you are redirected to Facebook.com or it appears in a new browser window asking you to enter your Facebook credentials to authenticate and allowing the service to access the required information from your profile.
However, Vincent found that malicious blogs and online services are serving users with a very realistic fake Facebook login screen after they click the login button designed to capture credentials entered by users, such as any phishing website.
In this type of phishing, the fake login screen, created with HTML and JavaScript, is perfectly reproduced to look exactly like a legitimate browser window - status bar, navigation bar, shadows and URL to the Facebook site with the padlock that indicates a valid HTTPS. In addition, users can also interact with the fake browser window, drag it back and forth, or exit the same way any legitimate window works.
According to Vincent, the only way to protect yourself against this type of phishing attack, "is to try to drag the fake screen away from the window where it is displayed." If this fails (part of the screen disappears beyond the edge of the window), it is a definite sign that the site is fake. "In addition, it is always advisable to enable two-factor authentication with all possible services, preventing hackers from accessing your online accounts if they can obtain your credentials."
Phishing scams are still one of the most serious threats to users and businesses, and hackers continue to try new and creative ways to induce these two to provide confidential and financial details that they could use to steal their money or hack their accounts online.
Stay tuned, stay safe!
Translated from: https://www.perallis.com/news/perigo-um-novo-ataque-de-phishing-foi-descoberto