How do you check if a website asking for your credentials is fake or legit to log in?
By checking if the URL is correct?
By checking if the website address is not a homograph?
By checking if the site is using HTTPS?
Or using software or browser extensions that detect phishing domains?
Well, if you, like most Internet users, are also relying on above basic security practices to spot if that “Facebook.com” or “Google.com” you have been served with is fake or not, you may still fall victim to a newly discovered creative phishing attack and end up in giving away your passwords to hackers.
Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, told The Hacker News that his team recently spotted a new phishing attack campaign “that even the most vigilant users could fall for.”
Vincent found that cybercriminals are distributing links to blogs and services that prompt visitors to first “login using Facebook account” to read an exclusive article or purchase a discounted product.
That’s fine. Login with Facebook or any other social media service is a safe method and is being used by a large number of websites to make it easier for visitors to sign up for a third-party service quickly.
Generally, when you click “log in with Facebook” button available on any website, you either get redirected to facebook.com or are served with facebook.com in a new pop-up browser window, asking you to enter your Facebook credentials to authenticate using OAuth and permitting the service to access your profile’s necessary information.
images from Hacker News