A New Facebook Phishing Campaign Targets iOs UsersByBill Toulas-March 12, 2019.050 Phishing actors have done an excellent job of mimicking and are bound to iron out any tiny mistakes that still exist in the near future. Mobile users should not abstain from using a password manager when making the 2Fa move compulsory. In what seems to be a spin-off of Myki’s hyper-realistic phishing campaign researchers, a new Facebook phishing campaign was found that this time targets mobile users. While only iOs devices are currently targeted, porting the entire scheme to Android would be a trivial job for the malicious actors. The main point of the campaign is to trick users into inputting their Facebook login credentials into a legit-looking login screen, following a series of well-thought-out and perfectly executed browser transformation effects that can fool even the most experienced. New @facebook # phishing#facebook#iOs Antoine Jebara (@JebaraAntoine) March 11, 2019 While this campaign looks plausible and may actually lead to fooling even seasoned users Jebara points out a few bugs that careful people would have caught up with. “This attack is poorly implemented and includes several vulnerabilities both from a method perspective and from a design perspective. Login with Facebook prompts is viewed in Safari as an external window, not as an additional tab to be turned to by the user as the root Url still appears in minimized form over the fake Facebook navigation bar. Although hackers will possibly execute this strategy more logically in its current form, a majority of users will fall for this attack as the specifics that offer it are relatively subtle and, more importantly, the user is shown clear ‘ family ‘ acts that seem to turn off the part of the brain that questions the page’s legitimacy. If you’re looking for a good password manager to keep you safe when you’re on the go, check out our list with the best password managers to check for common signs before you enter it. Reddit Suffers Data Breach Doesn’t Send Out Numbers
In June, Reddit suffered a data breach. It is unclear how many users affected. The intruders were exposed to Email addresses and a 2007 folder. The hack involved failed to get 2Fa via Sms. In June the company announced Reddit experienced a data breach. The hacker accessed data includes a list of current email addresses and a backup of the 2007 database which contains some salted and hashed passwords. According to Reddit on June 19, they learned that between June 14 and June 18, an attacker compromised the cloud and source code hosting providers for some of their employees ‘ accounts. The company places the blame for the happening’s two-factor authentication saying it’s not nearly as safe as they would expect, as the main attack by intercepting Sms took place. The hackers also accessed platform-sent email digests between 3rd and 17th June 2018. It means that they know which topics each user got based on the subreddits subscriptions suggested for posts, and so on. The problem with the whole thing is that they have known what has happened since 19 June and have just revealed it to the world that makes a pretty big deal for them. Whether the data was highly sensitive or not is not necessarily important-but a data breach happened and information was revealed to people. And yet here we are a month and a half later and we hardly learn of that. Also there is no number attached to the announcement so how many accounts have actually been affected? “I would be similarly cautiously optimistic about the extent of the reported data breach and confirm extensively that no other systems or user accounts have been compromised. Several interconnected cybercrime organizations also execute large-scale attacks in tandem, aimed at distracting confused and fear security teams. While the first group’s attack vectors are being mitigated, others are still actively exploited without success, “Ceo Ilia Kolochenko of High-Tech Bridge told TechNadu via email. He also indicated blaming the two-factor authentication via Sms is not ideal, as it is still better than nothing in many situations. What we should be focused on instead is how the attackers got Reddit employees ‘ passwords and mobile phone number before breaching the security feature. “In fact, when most business-critical systems have serious vulnerabilities that range from injections to Rce 2Fa hardening is definitely not the most important task to take care of,” said Kolochenko.