Phishers are sending Facebook users fake login pages with URLs they’ve padded with hyphens, a trick which makes the sites look legitimate on mobile devices.
The attack works by sending a real, legitimate domain within a larger URL that’s fake.
For instance, the following link redirects users to a phishing site: hxxp://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html.
The genuine path for Facebook mobile, “m.facebook.com,” appears in the URL, but the link’s actual domain is rickytaylk[dot]com.
Why does that matter? Just see what it looks like in a mobile browser.
Screenshot of URL in mobile browser. (Source: PhishLabs)
Not so easy to spot the difference from the real Facebook mobile sign-in page, is it? Not only that, but the attackers include a work like “validate” or “secure” after their first round of hyphens. This tactic further boosts the fake link’s appearance of legitimacy.
PhishLabs has detected at least 50 instances of this phishing technique since January 2017. Researchers at the security awareness training provider haven’t found lures for the attack just yet. Even so, they believe fraudsters are mainly spreading around these hyphen-padded URLs via SMS messages.
Crane Hassold, senior security threat researcher at PhishLabs, says this belief comes down to mobile users’ inability to verify the location of a link sent via SMS:
“… Until you visit the site, you have no way of knowing whether it’s legitimate. And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain.”
He goes on to say that phishers are likely using Facebook users’ credentials they steal in this campaign to access victims’ accounts and then send out additional phishing lures in updates and private messages. They could also use the login details to commit password reuse attacks across multiple web accounts, a digital threat against which Carbonite warned in late June 2016.
This isn’t the first type of scam to target the popular social networking platform, and it’s not even the sole innovative phishing technique to emerge in recent weeks. With that said, mobile users need to exercise caution around clicking on links in suspicious SMS messages. They should also refer to these tips to further protect themselves against phishing attacks.