Mimicking Native iOS Behavior in Facebook Phishing Campaign

The Facebook phishing campaign that we shed light on a couple of weeks back was based on the idea that malicious parties could reproduce native browser windows in Javascript, allowing them to trick users into filling usernames and passwords into OAuth login prompts.

After showcasing how simple it is, even for vigilant users, to fall for attacks that mimic native elements, I decided to further explore the subject in hopes of equipping readers with the know-how to avoid these sorts of phishing campaigns.

This new campaign targets users on mobile (specifically iOS devices, but could very easily be adapted to target Android devices as well). The malicious page prompts the user to authenticate using Facebook social login from a website that looks like Airbnb, but could be anything else.

Demo of the phishing campaign (Reproduction):

Upon clicking the 'Login with Facebook' button, the user is prompted by the OS to confirm their intent to use Facebook to login.

This step is followed by Safari launching a new tab and the user being prompted to authenticate on Facebook.

It wouldn't be a phishing campaign if all of the above were legitimate steps. In this specific case, almost everything is fake.

The prompt to authenticaete the action is fake. It is an image displayed within the HTML document that makes it look like an iOS prompt.

popup_facebook

The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in.

tabSwitch

The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page.

From the moment a user accesses the malicious website, they are manipulated into performing actions that seem legitimate, all with the purpose of building up their confidence to submit their Facebook password at the final stage of the attack.

This attack is poorly implemented and contains multiple flaws from both a process and design point of view. Login with Facebook prompts are presented as an external window in Safari, not as an additional tab that the user is switched to, as the origin URL still appears in minimized form over the fake Facebook navigation bar. This just goes to show how little users know about how software is supposed to behave in specific scenarios.

Although hackers would probably implement this campaign in a more realistic manner, in its current form, a majority of users would fall for this attack, as the details that give it away are relatively subtle and more importantly, the user is shown specific 'familiar' actions that seem to turn off the part of the brain that doubts the legitimacy of the page.

The most effective way to protect yourself from these types of attacks is to learn to be more skeptical, and always ask yourself questions when prompted to provide any kind of information online. Analyzing this specific campaign in order to understand what elements make it successful, in my opinion, doesn't help, as I believe that we are hardwired to be tricked by these illusions. I will discuss this last statement in details in another post.

Phishing relies on the user's ability to give away sensitive data to malicious parties. In order to do that, hackers need to put the victim in a position where he is incentivised to submit that information. Asking yourself 'Why am I being asked to do this? Isn't it out of the ordinary?' every time you are asked to submit information puts you in a defensive mindset that will more often than not protect you against elaborate scams.

It is extremly hard to fully protect yourself from social engineering attacks. Adopting basic protection mechanisms that become second nature with time is the best way to mitigate the damage caused by a potential breach.

It is very important to use strong, unique passwords for every service that you use and to setup 2FA on all services that support it.

In this specific case, using a password manager would have protected you from the attack, as a password manager that supports iOS 12 Auto-Fill, such as Myki , would not have suggested to autofill your Facebook password, a sign that the page your are attempting to authenticate to is not legitimate.

Mimicking Native iOS Behavior in Facebook Phishing Campaign
Share this