Facebook, new credential thefts from smartphones: how to defend yourself

Hackers, exploiting fake URLs, are stealing many credentials from Facebook mobile users, here's how to defend yourself and how to recognize the trap

A new hacker attack is circulating on Facebook, and it mainly affects those who log in via smartphone browsers. It is not a real malware but a technique to modify the access URL to the social media and steal users' credentials.

Usually a URL is composed of three parts. The domain (mandatory), which identifies the name of the site. A subdomain, which is optional, and a path (also optional) that summarily indicates where we are. The official URL of the mobile version of Facebook is m.facebook.com. Where the emme identifies that this is the mobile version, and Facebook is the domain. Cyber criminals are exploiting the inattention of many users and linking to untrusted login pages, such as http://m.facebook.com-validate-step1.rickytaylk.com/sign_in.html. Here a seemingly harmless sub-domain has been inserted, but the hacker needs it to spy on our credentials.

How the scam works

Once we enter the credentials on this fake login page the site will tell us that there has been an authentication error. At that very moment, the hacker will have already stolen our password. The hyphens between facebook.com and "validate" are inserted in a sneaky way. On a PC, in fact, we will see the entire URL but in the mobile version we will only see m.facebook.com plus a few dashes. If we don't pay special attention, then, recognizing this fake URL is very difficult. Cybersecurity researchers have tracked fake URLs like this one in email conversations, text messages, messaging apps and within social media itself.

How to defend yourself

There are a few techniques you can use to distinguish these phishing attacks. First of all, the advice is to access social and our private profiles manually typing the address of the social platform, so we can not fall into the trap. Moreover we avoid as always to click on unreliable links that arrive us on WhatsApp or via email. We then avoid using the same password on all our accounts. Otherwise the hacker after having stolen our Facebook credentials could also have access to our bank account, or the data of an e-commerce. To remember many different passwords just use a password manager. The best advice, however, is to activate the two-step verification, so the cybercriminal will not need our password to access the profile.