SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
19 Jun 2017

Innovative phishing threat targeting Facebook mobile users

Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold, a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the Web address of a malicious webpage with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

The phishing attacks that PhishLabs RAID has observed thus far "target primarily Facebook," Hassold said. Apple, Comcast, Craigslist, and OfferUp have also been spoofed by the campaign. The Web addresses used for the phishing pages are hosted on sites using legitimate domain names that have been compromised. The spoofed addresses also show that the attack is focusing on mobile users, Hassold noted, as they use the URL for the mobile versions of the sites they target, such as:

    m.facebook.com----------------validate----step1.rickytaylk.com/sign_in[dot]html
    accounts.craigslist.org-securelogin--------------viewmessage.model104[dot]tv/craig2/
    icloud.com--------------------secureaccount-confirm.saldaodovidro[dot]com.br/
    offerup.com------------------login-confirm-account.aggly[dot]com/Login%20-%20OfferUp.htm

The technique was first spotted in a few phishing attacks in January, according to Hassold. "It ramped up in March, and has been pretty heavy since." The pages used to deliver each type of attack found thus far are identical across the various domains used, suggesting that the attacker used some sort of script to leverage known vulnerabilities to gain access to domain name control. "Looking at the hashes of the contents of the sites, they're all identical," Hassold told.

It's not clear what the initial means of drawing victims to the sites is, though it is likely a shortened URL sent via an SMS message. In a blog post being published today by PhishLabs, Hassold wrote:

    The trouble with mobile devices is that even people who are normally security conscious treat them differently. As a population we’ve been conditioned to check our phones constantly, and to browse or follow links in a far more lackadaisical manner than we would on a desktop or laptop. As a result, we’re generally paying far less attention to any warning signs that might crop up.
    In this case, although we haven't yet managed to get our hands on any lures, it’s highly likely that this tactic is being distributed via SMS phishing, rather than email. As a result, the sensible parts of our brain, that have learned over the years that email contains a lot of spam, just aren’t turned on.

Part of the reason for the effectiveness of the attack is that if the site is delivered via an SMS link, it's not possible to check the legitimacy of the site before tapping it. And once the victim reaches the spoofed site, the URL padding obscures the true address of the site long enough for many (if not most) mobile device users to fall for the login request.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
fraud Facebook
Source:
Ars Technica
1894
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015