A falsely reported bug in the Myki Auto-Fill functionality led us to discover a phishing campaign that even the most vigilant users could fall for.
The attack is based on the concept of being able to reproduce a social login prompt in a very realistic format inside an HTML block.
Demo of the phishing campaign (Reproduction):
Steps to reproduce:
Hacker designs a very realistic-looking social login popup prompt in HTML. The status bar, navigation bar, shadows and content are perfectly reproduced to look exactly like a legitimate login prompt.
When a user visits the malicious website, they are prompted to log in with a social account (Facebook in this case). Upon selecting a login method, the fake login prompt is presented. The user can interact with it, drag it and dismiss it the same way they would a legitimate prompt.
Filling the username and password fields will result in the user’s credentials being sent to the attacker.
The only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in. If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.
We do not know if this specific type of hyper-realistic phishing campaign was previously reported but we’ve never seen one live and a quick Google search doesn’t pull up similar results.
The closest campaign that we can think of is the iOS login prompt phishing campaign that was reported a while back, but that was restricted to iOS devices and iCloud/email login prompts.
We would like to raise awareness on the issue as quickly as possible, due to how realistic and deceptively convincing the campaign is.
Current phishing guidelines advise users to check the URL and look out for an “HTTPS”, but that doesn’t help in this case, as all the content is generated in HTML and can be manipulated in a very realistic manner. The best way to protect yourself and avoid filling a similar form is to try dragging the ‘popup’ outside the browser window, which today is not a guideline that users are aware of.
Password Managers such as Myki can protect you from such attacks, since they look at the parent page URL that is always different from the simulated popup window.
The best solution remains to always stay vigilant while browing the Internet