This tricky scam is at large and fooling iOS users — stay alert and don’t fall for it.
A new cyber-scam collecting social media account logins is making its way through iOS devices, fooling users with its realistic-looking login process, which is really a video simulation. Unsuspecting victims are entering their Facebook credentials into the fake login screen, which then sends the credentials straight to the malware’s C&C (command and control server).
The scam begins with an authentic-looking webpage, such as Airbnb, prompting the user to log in with their Facebook account. When the user taps the “Login with Facebook” button, a video seamlessly plays that makes it look as though Facebook is being opened in another Safari window on the device. The user is then prompted to enter their Facebook login credentials.
Experts say a discerning eye can spot the gaffes in the ruse, namely that while the fake Facebook tab is “opening up,” the origin URL remains minimized over the process, showing that the user is still on that malicious site. All the same, users not on the lookout for something phishy may not notice, as the video simulation of a new tab opening looks largely familiar and normal to what they typically see on their iOS devices.
To ensure you don’t fall victim to this and other insidious phishing attacks, Avast recommends the following:
Install a mobile security product— Having a constant watchdog is not a bad thing with cybercriminals, hackers, and shady online entities trying every which way to infiltrate your system and steal your data. A powerful security network like Avast Mobile Security for iOS keeps you safe every time you’re online with your phone or tablet.
Use a password manager — A password manager remembers all your passwords and auto-fills them on legitimate websites, and in the case of this specific phishing scam, it would protect you by recognizing the malicious site as illegitimate and refusing to auto-fill your credentials. You can install Avast Passwords for iOS for free.
Enable 2-factor authentication — With 2FA or MFA (multi-factor authentication), even if your login credentials are stolen, that’s only part of the key needed to access your account. It’s a safety measure that requires an extra step when you log in, but could make all the difference if your credentials are compromised.
Avoid clicking links and downloads — Whenever you receive a message or email about one of your accounts, and it contains a link you can purportedly click to fix it...never click those links. More often than not, they are phishing scams. Even if it seems to come from someone you know. Instead of clicking (or downloading an attachment), delete the email and contact the entity or institution directly.
Take padlocks with a grain of salt — While we’ve always urged you to only visit secured HTTPS sites noted with the padlock icon, cybercriminals have caught on and now certain malicious sites have been encrypted with HTTPS to further deceive users. Avast Security Expert Martin Hron comments, “Remember, that little lock only means that data between you and the website is exchanged in a secure manner and is not tampered with during transmission. But that does NOT tell you anything about the content trustworthiness.”
The social media giant claimed in 2016 that it would stop importing user contacts, but the practice has continued since then with no opportunity for users to opt out.
The fake Nike offer scamming users on Facebook is just one example of this growing cybercrime.