Social Media Phishing Attack

    Social media has changed how the world interacts with each other in so many ways, such as closer interaction between businesses and their customers, law enforcement alerts, and more.  Creators of public content that want any real degree of reach involves social media in their business and marketing plan somehow, including many requiring logging in through social media to view content.

    There are many methods to ensure that a login prompt is legit, but a new phishing technique
discovered by researchers at password management company MyKi throws the usual precautions out the window. Phishing is a fraudulent attempt to gain sensitive personal information through posing as a legitimate entity, such as a company or a website. It is a form of social engineering and is very popular and successful due to the willingness of many to take things on the internet at face value.

    Recent years have shown an increase in phishing attempts leading to serious data breaches, as was the case in the San Diego Unified School District breach involving social security numbers and other personal information of over 500,000 students and staff. 
   
    Researchers at Myki discovered the attackers were convincing victims to visit fraudulent sites for blogs and services that first required people to log in with a Facebook account to access the content. The sites looked legitimate, as did the pop-up window for the Facebook login: the URL was for www.facebook.com, it was using HTTPS with a green padlock to show a valid certificate, and browser addons for detecting malicious domains weren’t throwing any warnings. However, their credentials were still harvested by the attacker. The pop-up window was not a real window: it was created with HTML and JavaScript to imitate a real browser window but was part of the original page.

    The only way to tell is to try to drag the window away from the browser. If it is fake then part of the window will disappear past the edge of the browser instead of moving as a separate entity. While harvesting Facebook login credentials may not seem like much of a threat beyond seeing what cat pictures were posted by friends, many people use the same or similar credentials across many sites and this gives attackers a jump ahead in trying to gain unauthorized access to other accounts. Also, this same technique could show up in other areas in the future, such as e-commerce sites asking for PayPal logins or something similar.

Sources
https://threatpost.com/sneaky-phishing-scam-facebook/141869/
https://threatpost.com/san-diego-school-district-data-breach-hits-500kstudents/140366/
https://thehackernews.com/2019/02/advance-phishing-login-page.html