• Attackers reproduced browser features to make fake sites look genuine on mobile devices.
  • Just like the previous campaign, this phishing attack relied on Facebook to lure victims.

Weeks after a Facebook phishing campaign was found stealing user credentials, a similar phishing attack has been discovered that targets mobile devices.

Antoine Vincent Jebara of Myki has yet again identified this attack which is aimed at iPhone users. The researcher detailed how this campaign mimicked a website’s look and design to trick iOS users into giving away their Facebook credentials.

How does it work?

  • Users visit a website which closely resembles the original site. Jebara’s investigation revealed a clone of the Airbnb website.
  • They are now presented with a message to open from Facebook in order to access the site.
  • A fake iOS login prompt appears asking the user to fill in his credentials to log into the site. After entering the credentials, the site notifies the user that his/her account has been compromised.

Highly detailed fake pages

Jebara explained in his blog how the campaign faked certain details. He wrote, “The prompt to authenticate the action is fake. It is an image displayed within the HTML document that makes it look like an iOS prompt. The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in.”

However, the security researcher emphasized that the implementations were still flawed. It was found that this phishing campaign used the same tab the user opened the site. This is in contrast to Facebook’s actual logins which are presented in external windows on Safari.

Jebara noted that many users could fall for this attack as the details that give it away are quite subtle. Moreover, Jebara wrote that, "...the user is shown specific 'familiar' actions that seem to turn off the part of the brain that doubts the legitimacy of the page.”

Cyware Publisher