An enticing message to click on…

An invitation to give away your identity.

I just received a Facebook Messenger message from a good friend yesterday. He apparently saw me in a video and thought I’d be interested in watching it. He’s a friend who does send me interesting stuff once in a while and there was no reason not to click through. Clicking through took me to a Facebook page inviting me to verify my account before loading the video.

Hmm, that is interesting and unexpected but the page looks very credible and realistic, except for the URL at the top of the page (circled in red in the picture). This isn’t a Facebook site! In fact it isn’t a credible business site at all!

If I had entered my Facebook credentials and clicked “Log In” two things would have happened: I would have been redirected to some page saying that the video couldn’t load, and the hackers would have had my Facebook identity. That was in fact how my friend was pwned by one of his Facebook contacts a couple of days earlier. He’s a very intelligent man but he had no idea that he had been hacked for a couple of days already. I called his mobile to let him know.

Potential Impacts

“So what?” you may ask.

For people who use Facebook it is a treasure trove of information. It contains significant portions of our personal histories: family photos, daily habits, vacation preferences and timings, and political and religious views. It is generally a trusted source about us for those who interact with us. If you have a business FB account tied to your personal information, your brand and public information is at risk. Facebook credentials also allow a “Single Sign On” (SSO) to so many other sites; by having your FB account compromised, your access to those other sites is also pwned.

How To Avoid Attacks Like This

Attacks are getting more sophisticated. This one looked very good. My virus checkers or Firewall DNS did not complain once as I tested out this attack. The only “tip-off” was the wonky URL of the login page.

That said, there are a number of preventative steps you can take today:

1. Don’t use the same password for all your sites. Each site should have its own password.
2. By extension, the same goes for SSO. Don’t use SSO for sites that are not related to each other. One successful phishing attack can make your life miserable for a long time.
3. Use an independent Password Safe. A safe like Lastpass allows you to manage hundreds or thousands of different passwords for all your sites. If you visit a site that is not in your list (like the easy.co link in this hack, Lastpass will not be able to fill in your identity for you. This should give you pause to wonder why before you give your life away.

The internet is becoming increasingly rough these days with lockdowns and limited social engagement. Be safe out there.