Fake SSOs login windows steal passwords of Facebook Users

Now, the phishers are deploying new ways and means to trick people and steal their Facebook password. As per the researchers, phishers are doing this by presenting the exact replicas of the single sign-on login windows on various malicious websites.

Single Sign-on (SSO) is one such feature that gives people the facility to typically use their accounts, such as Twitter, LinkedIn, Google and Facebook, on various other sites for logging in to the third-party websites. The main objective of SSO feature is to simplify things for both - the websites as well as the end-users. The people do not require to create and then remember passwords of each and every site, rather with this SSO feature they can simply log-in by using credentials of one single website.

Researchers with Myki, a password manager service, recently detected a website that claim to offer the SSO through Facebook. The log-in window almost looked similar to the original Facebook SSO. However, this one did not run on Facebook API and also did not interface with the social network by any means. Rather, it phished the sensitive
information like username and password.

The reason why the fake SSO login window appears to be so authentic is because all the components of the genuine Facebook SSO have been reproduced almost perfectly. Everything has been designed keeping in the mind the original components, and how it appears to the users in genuine Facebook SSO. From the Navigation bar to the Status bar to HTTPS-based Facebook address to shadows, everything appears more or less similar. The window appearing on this phishing page, however has been rendered by using block of HTML instead of calling an API which opens the real Facebook window. Hence, due to this, any information typed on this fake SSO page got delivered directly to phishers.

Although the fake SSO login window is very convincing, but still there is an easy way by which any user can make out immediately that it is fake. If genuine, the SSOs from Google and Facebook could be dragged outside the window of third-party website without any login prompt part disappearing. On the other hand, portions of fake SSO would disappear while dragging.

» SPAMfighter News - 3/8/2019