Tech Made Simple

Hot Topics: Holiday Gift Ideas | How to Fix Bluetooth Pairing Problems | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Facebook Users Threatened with Sophisticated Phishing Attacks

by Elmer Montejo on May 08, 2016

Password screenshot

A strong wave of phishing attacks has descended upon Facebook users, as cybercriminals mimic an authentic Facebook login page in order to harvest user login credentials. The phishers have developed an application that lets it display a fake but authentic-looking Facebook login verification page.

The attacks use Facebook’s app platform to display the fake page under a valid Facebook domain and Transport Layer Security (TLS) certificate, giving the fake page an air of authenticity. (TLS is a protocol for ensuring secure communications between domains and users for activities such as email, Internet faxing and data transfers.) To further avoid arousing suspicion, the phishing site uses HTTPS protocol so web browsers won’t display warnings about insecure sites or pages.

According to a report on AVAST’s blog, the phishing page uses a simple call to action form asking for the user’s login ID (email or phone number), password, security question and answer, and birthday. Then it sends the login information to the phisher’s email.

To make the experience appear legitimate, the form mimics the interaction that happens when users enter some of the login details incorrectly. When users attempt to log in, the form returns a “Username or Password is wrong” page and asks for the login credentials a second time, tricking unsuspecting users into offering their personal information again.

Once users click the Log In button, they see a page telling them to wait up to 24 hours for an email confirming approval of the verification request — more than enough time for cybercriminals to use the login information for illegal purposes such as accessing user accounts, using the accounts to spam or scam victims’ contact lists with pleas for monetary assistance or other scams. Cybercriminals often sell the information to others who are engaged in similar activities.

The phishing site is reportedly hosted at http://gator4207.hostgator.com/~labijuve/a2/; a quick glance at that address raises immediate suspicions about its authenticity.

How to safeguard your Facebook account

Before logging into Facebook, or any of your online accounts, double-check the page URL first to ascertain that it does indeed come from the intended site. Facebook protects your account with Login Approvals, also known as two-factor authentication or two-step verification, so that cybercrooks won't be able to log into your account even if they do succeed in stealing your login credentials. The two-step process requires anyone logging into your account through a new device or a new web browser on one of your devices provide a secondary form of authentication. For Facebook, the easiest form of authentication is entering a one-time code that is texted to your smart phone. Once you verify the device, you'll be all set. No need to authenticate every time you log in.

Facebook Login Approvals

To turn on Login Approvals, click on the security padlock in the upper right corner and then choose Security Settings > Login Approvals.  From there, Facebook will walk you through the process of security your account. 

Don't just secure your Facebook account, make sure you turn on two-factor authentication for all of your accounts. And, be alert to how fraudsters commonly carry out their scamming and hijacking activities on social media.

Updated on 5/8/2016 with Facebook Login Approvals information.

[Image credit: Password box in Internet Browser via Shutterstock]


Topics

Facebook, News, Computers and Software, Computer Safety & Support, Blog


Discussion loading

gravatar

From Patrick on May 09, 2016 :: 4:01 pm


Hi Susan,
please this has nothing to do with the Facebook incident.
My Yahoo account has been taken over by someone else. Every time I follow the instructions on reset to my mail box, the name addressed is not me. when I send the code given and enter verify nothing happens. I don’t know how to contact Yahoo about this. Any ideas ? Thanks.

Reply

gravatar

From Bob Scott on May 13, 2016 :: 3:31 pm


I have had nothing but hacking on my facebook page, namely creating posts under my name on my account. Each time I login to FB, I have to TWICE change my password. The first time to clear all devices, the second to enter a new password again.

What I’d like to know re this article, is how can I secure my account not with a Cell Phone but my for my laptop and lap top ONLY?
Thanks.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.