Behold, the Facebook phishing scam that could dupe even vigilant users
Phishers are deploying what appears to be a clever new trick to snag people’s Facebook passwords by presenting convincing replicas of single sign-on login windows on malicious sites, researchers said this week.
Single sign-on, or SSO, is a feature that allows people to use their accounts on other sites—typically Facebook, Google, LinkedIn, or Twitter—to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that don’t want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the the login to happen without the third party site ever seeing the username password.
Researchers with password manager service Myki recently found a site that purported to offer SSO from Facebook. As the video below shows, the login window looked almost identical to the real Facebook SSO. This one, however, didn’t run on the Facebook API and didn’t interface with the social network in any way. Instead, it phished the username and password.