How do you know if a website asking for your credentials is fake or legit to login to?
- Do you check first to see if the URL is accurate?
- Do you check first to make sure the URL is spelled right? (ie: faceb00k vs. facebook)
- Do you check first to make sure it's secure (ie: HTTPS)?
- Do you use a browser extension that detects known phishing domains?
Well, if you're like most users with the appropriate level of Internet hygiene, you rely on the above basic security practices to spot if that "Facebook.com" or "Google.com" you've been served with is fake or not. Unfortunately, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.
A recent and falsely reported bug in the Myki Auto-Fill functionality led them to discover a phishing campaign that even the most vigilant users could fall for. They found that cybercriminals are distributing links to blogs and services that prompt visitors to first "login using Facebook account" to read an exclusive article or purchase a discounted product. Generally, when you click "log in with Facebook" button available on any website, you either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information.
However, Myki discovered that the malicious blogs and online services are serving users with a very realistic-looking fake facebook login prompt after they click the login button which has been designed to capture users’ entered credentials, just like any phishing site.
The only way to protect yourself from this type of phishing attack, according to Myki, "is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it's a definite sign that the popup is fake." A pretty difficult proposition for most typical users to discern.
This is why we recommend against using Facebook or any other service as a login to another account!
Besides this, we also always recommend enabling two-factor authentication with every possible service, preventing hackers from accessing your online accounts if they somehow do manage to get your credentials.
Phishing schemes are still one of the most severe threats to users as well as companies, and hackers continue to try new and creative ways to trick you into providing them with your sensitive and financial details that they could later use to steal your money or hack into your online accounts.
Needless to say, security is more complex than ever before and the ramifications are more far-reaching than most realize.
Whether your business is large or small, it’s critical that your company’s user security awareness training becomes a valued and integral part of your employees’ work life culture. I've put together a list of questions to ask yourself (or your IT guy) to help assess the basic security level of your business’ network.
Developing a comprehensive and mature cybersecurity awareness training approach is often challenging, as the average computer user is relatively uninformed about key cybersecurity concepts. FPA is here to help you address many of the key components and related challenges. As far as managing the security aspects of your technology goes, our clients don't do any of the heavy lifting — our plans are comprehensive, easy to use and, best of all, we run them for you!
What are you doing to ensure you and your users are properly trained and your information is safe and secure? Download our tipsheet below to help.
Let us know your thoughts in the Comments section below or feel free to send me an email to discuss this in more detail.
As always, stay cyber-safe!