Phishers are using a new tactic to get your Facebook login details: copycat single sign-on login windows.
A plethora of third-party websites use single sign-on, or SSO, to let you log in with your Facebook details. This way your Facebook login is used as a kind of master key to give you access to other services you’ve signed up for. This makes it easier for both the end user and the website being logged into because there’s no real need to add any additional steps of password authentication when information can be verified via Facebook. The third-party site doesn’t even have to see your username and password.
A password manager service called Myki recently came upon an SSO that appeared to be from Facebook, but further investigation revealed that it didn’t run on the Facebook API and didn’t interface with Facebook at all.
According to a Myki blog post on the subject, “the attack is based on the concept of being able to reproduce a social login prompt in a very realistic format inside an HTML block.” Myki’s recreation of the attack shows just how easy it can be to mistake the SSO for the real thing.
Filling in the requested username and password fields will send your credentials to the attacker. To avoid this, drag the prompt away from the current window.
“If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake,” says the Myki blog post.
An additional step to protect yourself from this kind of attack would be to use a reliable Password Manager because that kind of service looks at the parent page URL and will help you better detect fake login prompts.