Cybercriminals are using are increasingly using a sneaky browser-in-the-browser (BitB) attack technique in efforts to steal login credentials of Facebook users.
According to analysis by cybersecurity researchers at Trellix, there has been a surge in attackers distributing phishing emails which lure users towards trustworthy looking authentication screens with the intention of harvesting usernames and passwords.
It is thought that the aim of the attacks is to takeover accounts to steal personal data, commit identity fraud or spread scams to the users’ contacts. With over three billion users, Facebook remains a tempting target for cyber criminals to undertake attacks and scams.
These campaigns typically begin with phishing emails: researchers noted that attackers commonly distribute lures claiming to be messages from law firms warning potential victims that they need to take urgent action to avoid a claim of copyright infringement.
Other lures known to be distributed by the attackers issue fake notifications about an unauthorized login attempt or a warning that the account is about to be shutdown due to suspicious activity.
Each of these is designed to force the user to panic and take what they’re being told is the necessary action to prevent their account from being closed.
The phishing emails urge the user to click what looks like a Facebook link to take the necessary action – although these are phoney shortened URLs which are manipulated to look more legitimate.
What makes the attacks seem convincing is how the browser-in-the-browser pop-up windows looks legitimate and exactly how users would expect the Facebook login page to appear.
The pop-up browser contains the real Facebook login page URL, something the attackers have hardcoded into the authentication window, while the attackers also deploy a fake CAPTCHA window before this. Both tactics are designed to trick the victim into believing they’re visiting a real Facebook login page.
These ‘appeal’ pages ask the users for personal information, including their name, email address, phone number and date of birth – before a second page asks them to ‘confirm’ their password.
Through these fake pages, the attackers gain access to sensitive personal information, usernames and passwords they can use to commit further fraud at the victims’ expense.
“By creating a custom-built, fake login pop-up window within the victim's browser, this method capitalizes on user familiarity with authentication flows, making credential theft nearly impossible to detect visually,” said Trellix.
To help counter phishing attacks like this, it’s recommended that users apply two-factor authentication (2FA) to accounts: this can automatically block account takeover, even if cyber-criminals steal legitimate login credentials.
It’s also recommended that users treat emails making sudden, unexpected requests like this with suspicion – and that if they are worried about a notification about their account, to login directly via Facebook from their browser, rather than following an unfamiliar link.