16 comments

[ 2.1 ms ] story [ 38.5 ms ] thread
The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the from address match what you're expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts. This is why I never open links directly from an email.
You could explain this over and over to my 65 year old parents, they still would fall for it. They're far from dumb, it's just that it's a lot of information of to handle.
One solution is to set up a free lastpass account, change all the passwords to something random and only use autofill. They have to go out of their way to enter the password into another domain

Sucks if they want to log in using a new or borrowed device

I've got my mom using an iPad which also reduces the attack surface, not to mention it's pretty hard for her to screw up the device on her own. I haven't had to help with anything computer related in about 4 years.
The public, “ain’t nobody got time for dat!”

They will always continue to fall victim to these scams.

The best defense is to manually enter the url of the domain you need to log on to and log on from there. Never follow links, that what will get you in trouble.
The passwords are broken. Anyone can fall for it regardless of how experienced he/she is. It's just a matter of time/opportunity. We need u2f
lol @ the guy's name "Cashdollar"
> However, like the Google page, this Facebook landing page also uses an older version of the mobile login form. This suggests that the kit is old, and likely part of a widely circulated collection of kits commonly sold or traded on various underground forums.

This is actually the current design of the https://mbasic.facebook.com login page, the version of the Facebook mobile site for lower-bandwidth connections and less-capable devices.

I wonder what motivated the article's author to redact the scammer's email address.
> I wonder what motivated the article's author to redact the scammer's email address.

This is good practice to prevent the possibility of revictimization in case the actual motive of the phishing attack was not phishing but to cause reputational damage to the owner of said email.

Consider: if someone wanted to target you and cause you potential legal and employment difficulties, they could launch a phishing attack using amateur code such as this, and have your work email appear as the "scammer's email", and then sit back and wait for the attack to be discovered and reported.

And even if not a reputation attack, the scammer could also simply be using a compromised email account, so once again redaction helps preempt the possibility of revictimization.

Just a guess: the author could not be sure that the email address legitimately belongs to the scammer. It could be a hacked account.
> One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page - they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.

Is this based on any evidence or just an assumption? It seems to me that the 'actual Facebook account' could just as readily be either a random or intentional framing of someone else by the one(s) doing the phishing attack or the page designer, in which case it would appear that it worked perfectly in that it apparently convinced Akamai.