Similar to the Facebook phishing campaign seen a few weeks ago stealing users’ credentials, this time iPhone users are being targeted. Users are led to a site that mirrors the authentic one, for example, researchers discovered a cloned Airbnb site. When victims reach the site, they are prompted to sign in to their Facebook in order to access the content of the page. When credentials are entered, a notification appears that tells the user their account has been compromised. Researchers explained the detail of the fake sites stating, “the prompt to authenticate the action is fake. It is an image displayed within the HTML document that makes it look like an iOS prompt. The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in.” Implementation was flawed but many users will still fall for it because the flaws were very subtle.
Analyst Notes
When visiting sites through an external link, the user should consistently check the URL. Dashes, underscores, and extra words are subtly used to make it difficult for users to differentiate between real and fake. Users should also check for an SSL/TLS certificate or the padlock on the left-hand side of the browser bar. The “about” tab on a page should also be analyzed, if there isn’t one that should be the first sign of a fake page.
