Beware of this Facebook phishing attempt by hackers Reuters

If you frequently use the Facebook on your smartphones beware! Researchers have uncovered a new phishing attempt by hackers that targets smartphone owners most of whom are Facebook users.

Security researchers from PhishLabs say the new tactic relies on the vulnerability that mobile browsers have very narrow URL address bars, which prevents users from viewing the entire contents of a link. Taking advantage of this hackers are padding URLs with sub-domains and hyphens, which make links look authentic on mobile devices but in reality will redirect them to dodgy sites.

An example of the same given by the firm is - hxxp://m.facebook.com. Here http has been replaced with hxxp.

Users may be fooled to think they are visiting the actual site and giveaway their Facebook credentials to these hackers. These hackers in turn are using these credentials to spam a user's friends and send their phishing pages to other users, thereby spreading the infection to as many people as possible.

A similar tactic has been deployed in the past against services such as Apple iCloud, Comcast, Craigslist, and OfferUp. Because users can't hover links on mobile devices, they are not capable of determining if a link is safe or not before tapping on it.

"Until you visit the site, you have no way of knowing whether it's legitimate," Crane Hassold, an expert on the matter told Bleeping Computer. "And, as we've already seen, once you're there the URL padding approach is highly effective at obscuring the site's real domain."

How to stay safe

  • The URL re-direction can only take place once you are out of the Facebook app. So make sure you avoid logging in through your browser to Facebook and if you do check the domain properly
  • Most of these phishing links using URL padding have been sent via SMS, so do not click any dodgy links sent on your Inbox that has the word Facebook on it unless it is from the company's SMS alerts. In case you can't tell the difference do not click on any of these links
  • Check the full domain name and not just the http part, as even a single alphabet's misplacement could mean visiting a scam website
  • Have your security scan on, although many scans will not be able to spot some of these phoney sites
  • These phishing links can appear via email as well so make sure not click on dodgy links