Security researchers from PhishLabs have uncovered a new phishing trend that targets smartphone owners, mostly Facebook users. This phishing scam conceals the URLs of fake websites by making it appear that they are forwarded from a trusted source. As a result, victims are tricked into clicking malicious links, thereby giving away their credentials for login request. “The tactic we’re seeing is a tactic for phishing specifically mobile devices,” said Crane Hassold, a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID) to Bleeping Computer. Cyber-criminals make use of a method known as URL Padding. URL padding takes advantage of the fact that smartphones have very small address bar that prevents users from viewing the whole address. Using this vulnerability, the crooks pad the URLs with sub-domains and hyphens to disguise its true domain and make it look legitimate on the mobile device, which makes it difficult for the user to identify a phishing site by its web address. As a result, when the user clicks on the malicious link, the victim doesn’t see where it is actually going to take them. How does it work? To understand how URL padding works, it is important to know Facebook’s mobile address, which is “m.facebook.com”. However, in real world attacks, the URL as seen by PhishLabs looks as below: Not only that, but the attackers include a work like “validate” or “secure” after their first round of hyphens to boosts the fake link’s appearance of legitimacy. “Although it starts with m.facebook.com (the genuine path for Facebook mobile) the actual domain in this case is rickytaylk.com,” Hassold said. Since, the mobile browser displays only the first part of the URL, users will see only the “m.facebook.com” section, followed by an unending stream of hyphens. Also, “http” has been replaced with “hxxp”. In most cases, attackers use these credentials to spam a user’s friends, and also send their phishing pages to other users, thereby spreading the infection to as many people as possible, say PhishLabs experts. In the past too, similar methods have been used by the campaign to spoof websites such as Apple iCloud, Comcast, Craigslist, and OfferUp. As users cannot hover on the links on mobile devices, they are not capable of checking the legitimacy of the link before tapping on it. “Until you visit the site, you have no way of knowing whether it’s legitimate,” Hassold told. “And, as we’ve already seen, once you’re there the URL padding approach is highly effective at obscuring the site’s real domain.” While it is unclear what it is the source of getting the victims to the websites, it is possibly a shortened URL sent via an SMS message or as notifications, since it can be hidden more effectively through these sources. Writing in a blog post, Hassold said: Here’s how you can stay safe: As a result, we’re generally paying far less attention to any warning signs that might crop up. In this case, although we haven’t yet managed to get our hands on any lures, it’s highly likely that this tactic is being distributed via SMS phishing, rather than email. As a result, the sensible parts of our brain, that have learned over the years that email contains a lot of spam, just aren’t turned on.

Since, Facebook does not send notifications to users through SMS, it is suggested that you refrain from accessing links sent via unknown text messages. Also, abstain from clicking doubtful links that you receive via email. If you are logged out of your Facebook app and want to login again, type the web address directly into your browser and ensure that you check the domain properly. Even misplacing of a single alphabet in the site address could mean that you are visiting a scam website. Therefore, ensure that you check the entire domain name and not just the http part.

Check out this blog post to know more about the URL Padding Facebook phishing attack.