The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the from address match what you're expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts. This is why I never open links directly from an email.
You could explain this over and over to my 65 year old parents, they still would fall for it. They're far from dumb, it's just that it's a lot of information of to handle.
One solution is to set up a free lastpass account, change all the passwords to something random and only use autofill. They have to go out of their way to enter the password into another domain
Sucks if they want to log in using a new or borrowed device
I've got my mom using an iPad which also reduces the attack surface, not to mention it's pretty hard for her to screw up the device on her own. I haven't had to help with anything computer related in about 4 years.
The best defense is to manually enter the url of the domain you need to log on to and log on from there. Never follow links, that what will get you in trouble.
> However, like the Google page, this Facebook landing page also uses an older version of the mobile login form. This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums.
This is actually the current design of the https://mbasic.facebook.com login page, the version of the Facebook mobile site for lower-bandwidth connections and less-capable devices.
> I wonder what motivated the article's author to redact the scammer's email address.
This is good practice to prevent the possibility of revictimization in case the actual motive of the phishing attack was not phishing but to cause reputational damage to the owner of said email.
Consider: if someone wanted to target you and cause you potential legal and employment difficulties, they could launch a phishing attack using amateur code such as this, and have your work email appear as the "scammer's email", and then sit back and wait for the attack to be discovered and reported.
And even if not a reputation attack, the scammer could also simply be using a compromised email account, so once again redaction helps preempt the possibility of revictimization.
> One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page - they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.
Is this based on any evidence or just an assumption? It seems to me that the 'actual Facebook account' could just as readily be either a random or intentional framing of someone else by the one(s) doing the phishing attack or the page designer, in which case it would appear that it worked perfectly in that it apparently convinced Akamai.
16 comments
[ 2.1 ms ] story [ 38.5 ms ] threadSucks if they want to log in using a new or borrowed device
They will always continue to fall victim to these scams.
U2F is not immune to phishing attacks, at least not if backup codes are being used: https://youtu.be/rPTI9e-9tBE?t=936
This is actually the current design of the https://mbasic.facebook.com login page, the version of the Facebook mobile site for lower-bandwidth connections and less-capable devices.
This is good practice to prevent the possibility of revictimization in case the actual motive of the phishing attack was not phishing but to cause reputational damage to the owner of said email.
Consider: if someone wanted to target you and cause you potential legal and employment difficulties, they could launch a phishing attack using amateur code such as this, and have your work email appear as the "scammer's email", and then sit back and wait for the attack to be discovered and reported.
And even if not a reputation attack, the scammer could also simply be using a compromised email account, so once again redaction helps preempt the possibility of revictimization.
Is this based on any evidence or just an assumption? It seems to me that the 'actual Facebook account' could just as readily be either a random or intentional framing of someone else by the one(s) doing the phishing attack or the page designer, in which case it would appear that it worked perfectly in that it apparently convinced Akamai.