Sneaky Facebook phishing attack.

I became aware of this really sneaky attempt by hackers to steal people’s Facebook ID and password recently. This is known as phishing and it’s quite clever and I must admit that I could quite easily have fallen victim to it, had I not read the article.

I’ve put a link to the full article at the bottom of this post, but essentially what happens is:

  • If you click on a compromised link, a very legitimate looking “Facebook Page Verification” form will appear asking for your e-mail/phone, password and a ¬†security question.

Facebook Phishing example

  • If you fill it in, it will say that the first attempt is incorrect.
  • If you fill it in again, it will then come back to say it has been accepted and is awaiting approval, which might take 24 hours.

The failure at the first attempt is a clever ruse to fool people that might input a false ID and password initially (in case the form is illegitimate) before proceeding with their correct credentials when they perceive the site to be legitimate (as it rejected their false details).

Whatever you have typed in will be taken and used/abused by the evildoers.

The only way to protect yourself from being compromised by these type of phishing scams is to turn on “Login Approvals” in your Facebook security settings. This will mean if somebody (including you) try to log in to your Facebook account from a different device/location, they will need to use your phone to get a code to prove you are who you told Facebook you are.

If you have already filled in your details on this page, change your Facebook password immediately and turn on the Login Approvals. If your e-mail account associated with Facebook has the same password, then change that one too and if possible turn on it’s Two-Factor Authentication (i.e. to use your phone to secure that account as well).

And lets be careful out there!