The latest phishing trend narrows its target to Facebook users, through a process called URL padding.
Security experts note that the hacking technique specifically aims to infiltrate mobile phones using the social network.
This particular phishing practice involves making deceptive links look like legitimate ones. Users then click the link and enter their login details on the page.
The URLs that are created for this purpose look very normal. Hackers are making use of actual domains that have a larger URL.
The URL is artificially padded with hyphens in order to hide the destination of the link in the address bar.
Attack on Mobile Devices
Hackers are increasingly targeting their campaigns to mobile phones. This is not surprising, as most users are always glued to their smartphones, looking at social networking sites, checking their texts and emails, and surfing the web.
Mobile phones have a very small URL address bar. Hence, users are not able to see the entire URL when a link appears on it.
Phishing hackers are now taking advantage of this loophole.
Cyber security experts have discovered that more and more hackers are now padding URLs to include hyphens and subdomains.
This makes the link appear authentic when seen on a mobile device URL bar, since users can only see the initial portion of it.
If the user is inattentive or unaware of this deceptive URL, it’s very likely that they will enter the Facebook page and input their login details by mistake.
When he/she sees the URL phrase “m.facebook.com,” they may believe they’re on their favorite social networking site, even though the actual name of the site is “abcdef.com.”
In addition, such phishing hackers are making use of words such as “login” or “account” or “validate” after the hyphens, to make the link look more authentic.
All they need next is a fake page that is similar in design to the Facebook login interface.
The unsuspecting user will then enter his username and password without thinking twice.
According to security experts, such phishing campaigns use the credentials thus entered to spam the person’s friends. They also send the pages to other users in this way, so as to spread the virus.
Such phishing attacks by hackers have mostly attacked Facebook users recently.
However, security experts claim that similar tactics have also been deployed on platforms like Apple iCloud, Craigslist and others.
Vulnerable to Phishing
The mobile phone ecosystem is very vulnerable to such phishing attacks. This is because the user is not able to hover over the link, so they cannot ascertain the legitimacy of the URL until the site is visited.
URL padding obscures the site’s actual domain in such a convincing way that users are left unable to detect if they’ve entered a trusted site.
Hackers Target SMS Too
It is also common for hackers to send phishing links to victims through SMS, using hyphens and URL padding.
There are some browsers on mobile phones that enable tapping and holding over the link in order to view the entire URL address.
However, many SMS apps do not allow this feature, so phishing campaigns become easy for hackers to orchestrate.
Another new phishing technique used by hackers shows PayPal users being attacked. Hackers ask users to upload a selfie holding their ID card, in order to steal their credentials and information.
Upping the Ante
We are spending more time on our mobile phones. It is essential that we focus more on our security as well, in order to protect ourselves from phishing attacks.
Otherwise, users will end up unknowingly revealing their credentials and identification information. Data theft is increasing and so are ransomware threats.
Phishing attacks using techniques like URL padding are increasing, and mobile phone users should see to it that they’re not negligent in their behavior online and on social networks.
Facebook accounts are the most vulnerable to such phishing attacks. Security experts are advising users to pause before they click on any link and follow the instructions carefully.
Facebook or other such services will never send links through an SMS.
Do not click on such links and do not click on any links sent to you through an unknown person.