The new "creative" phishing attack that you should watch out for

A cybersecurity researcher who warned last month about a creative phishing campaign has now shared details of a new, but similar, attack campaign with The Hacker News, which was specifically designed to attack mobile users.

As in the previous campaign, the new phishing attack is also based on the idea that a malicious web page could mimic the appearance of the browser window to trick even the most vigilant users into providing their login credentials to attackers.

Antoine Vincent Jebara, co-founder and CEO of Myki password management software, shared a new video with The Hacker News portal, demonstrating how attackers can reproduce the behavior of native iOS, browser URL bar, and Safari's tab-shifting animation effects in a very realistic way on a web page to present fake login pages, without actually opening or redirecting users to a new tab.

New Phishing Attack Mimics Animation and Mobile Browser Design

A malicious Airbnb-like website prompts users to authenticate using their Facebook login, but by clicking, the page displays an animated video with a fake tab in order to induce users to think that their browsers are behaving normally.

"Once a user accesses the malicious site, he is manipulated to perform actions that appear legitimate, all with the aim of increasing his confidence to submit his Facebook password at the final stage of the attack.”

If users do not pay close attention to details and do not identify minor differences, they will end up filling in the username and password fields on the phishing page, resulting in the delivery of their social media credentials to attackers.

"This attack is poorly implemented and contains several flaws from a process and design point of view. Login warnings with Facebook are presented as an external window in Safari, not as an additional tab to which the user is switched. It appears minimized on the fake Facebook navigation bar " , said Jebara.

"Although hackers will probably implement this campaign in a more realistic way, in its current form, most users would fall for this attack, since the details that reveal it are relatively subtle and, more importantly, the user is shown as specific" familiar actions that seem to turn off the part of the brain that doubts the legitimacy of the page.

How to protect yourself against this new form of phishing scams

It’s important to notice that these advanced phishing attacks are not limited to Facebook, Safari browser or iOS mobile users only, but can be easily adapted for Android devices or any other social media website.

Cybercriminals can target different platforms by creating a website that automatically serves different versions of phishing pages based on the browser app and mobile operating system victims.

Because there are no clear guidelines for identifying these creative phishing attacks, users are highly recommended to:

• Use password managers that automatically fill in credentials on legitimate domains, helping to prevent credential donations to fake websites.

• Enable two-factor authentication whenever it is available, preventing hackers from accessing your online accounts, even if they can somehow steal your credentials.

In addition, Jebara also suggests that users ask themselves: "Why does it ask me to log in?" Or "Am I not logged in with this yet?" when hackers try to mimic the logins of popular websites for which you already have an app on your smartphone.

Phishing is still one of the most serious threats to users and businesses, and hackers keep trying new and creative ways to induce them to provide confidential and financial details that they could later use to steal their money or hack their online accounts.

Translated from: https://mundohacker.net.br/novo-ataque-de-phishing-criativo-em-que-voce-deve-prestar-atencao/