Antoine Vincent Jenara, Co-founder and CEO of password managing software, Myki, released a video on Twitter demonstrating how attacks can mimic iOS behavior to trick users into giving up their credentials.
This new phishing campaign will reproduce typical Safari features like the URL bar and the tab switching animation, appearing to the user as a legitimate experience. In the video, Antonine demonstrates this by using a malicious website that looks like Airbnb, a highly popular travel accommodation site.
The website will prompt the user to log in via Facebook, which is a common feature most users will now be well used to. When the user clicks on the link to authenticate using Facebook, the page will use a fake tab switching animation that tricks users into thinking their browser is behaving as normal.
On his blog Antoine says:
This new campaign targets users on mobile (specifically iOS devices, but could very easily be adapted to target Android devices as well). The malicious page prompts the user to authenticate using Facebook social login from a website that looks like Airbnb, but could be anything else.
This step is followed by Safari launching a new tab and the user being prompted to authenticate on Facebook.
The tab switching in Safari is also fake, it is a recording of a video of tabs switching that is played as soon as the user confirms their intent to log in.
The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page.
From the moment a user accesses the malicious website, they are manipulated into performing actions that seem legitimate, all with the purpose of building up their confidence to submit their Facebook password at the final stage of the attack.
Of course, if the user does log in, they have given away the password to their Facebook account, which contains a treasure trove of information about the individual.
Antoine does call out some problems with the design, calling it flawed. For example, Facebook prompts are presented in a different window, rather than in an additional tab as is shown in the video. However, the difference is subtle enough to fool most people since the new tab opening animation is something Safari users see frequently.
There is also the possibility that hackers will become most sophisticated with phishing campaigns of this type and design even more convincing scenarios.
Antoine goes on to say that the best way to protect yourself is to become more skeptical. He says:
Phishing relies on the user’s ability to give away sensitive data to malicious parties. In order to do that, hackers need to put the victim in a position where he is incentivised to submit that information. Asking yourself ‘Why am I being asked to do this? Isn’t it out of the ordinary?’ every time you are asked to submit information puts you in a defensive mindset that will more often than not protect you against elaborate scams.