Phishers are deploying what appears to be a clever new trick for capturing Facebook passwords for their users by presenting compelling replicas of Windows single sign-on on malicious sites, researchers said this week.
Single sign-on, or SSO, is a feature that allows users to use their accounts on other sites (usually Facebook, Google, LinkedIn or Twitter) to connect to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and store a password for hundreds, even thousands of third-party sites, users can log in with the help of a user's identification information. single site. Web sites that do not want to worry about creating and securing password authentication systems need only access a user-friendly programming interface. Security and cryptography mechanisms under the hood allow the connection without the third party site ever seeing the password of the user name.
The Myki Password Management Service researchers recently discovered a site meant to offer single sign-on from Facebook. As shown in the video below, the login window seemed almost identical to Facebook's true single sign-on. This one, however, did not work on the Facebook API and has no interface with the social network. Instead, he has phishing the user name and password.
Just add some HTML
One of the ingredients that made the login window so real was that it almost mirrored what users would see if they encountered a real Facebook SSO, like the one to the right of this text. The status bar, navigation bar, shadows and HTTPS-based Facebook address almost all look the same. The window presented on the phishing page however has been generated using an HTML block rather than calling an API that opens a real Facebook window. As a result, everything typed in the fake single sign-on page was routed directly to the phishers.
Although the reply is convincing, there was a simple way for any user to immediately say that it was a forgery. The SSO credentials of Facebook and Google may be dragged out of the third party site window without any part of the login prompt disappearing. Parts of the fake SSO, however, disappeared by doing so. Another revealing sign for Myki users, and probably for other password managers, was that the password manager's automatic fill function did not work, because unlike the address displayed in the block HTML, the actual URL that users were visiting was unknown. No Facebook. More advanced users would almost certainly have been able to detect falsification by consulting the source code of the site that they were also visiting.
Convincing falsification is another reminder that attacks only improve. It also reaffirms the interest of using multifactor authentication on any site that offers it. A password hidden from a Facebook account that used MFA protection would have been very useful for attackers since they would not have had the physical key or the smartphone required to connect from a computer that does not had never accessed this account. Facebook has more tips on fighting phishing here.