Facebook 2FA Fish comes just 28 minutes after the scam domain was created

We will tell this story mainly through pictures, because a picture is worth 1024 words.

This cybercrime is a visual reminder of three things:

Easy to read in a phishing scam If you are in a hurry
Cybercriminals waste no time New scams are happening.
2FA is not a cyber security drug, So you still need your intellect about you.

It’s been 19 minutes.

Today is 3:19 pm UK time [2022-07-01T14:19:00.00Z]The perpetrators behind this scandal have registered a common and exceptional domain name of the form control-XXXXX.comWhere XXXXX The number had a random looking string, looking like a sequence number or server ID:

28 minutes later, 15:47 UK time, we received an email linked to a server facebook.control-XXXX.comTells us that there may be a problem with one of the Facebook pages we maintain:

As you can see, the link to the email highlighted in blue by our Oluk email client seems to be going straight and correct. facebook.com Domain.

But that email is not a plaintext email and that link is not a plaintext string that represents a URL directly.

Instead, it is an HTML email where there is an HTML link Text The link looks like a URL, but where The actual link (Known as a hrefToo small Hypertext reference) Goes to the rogue cheat page:

As a result, clicking on a link that looks like a Facebook URL leads us to the scammer’s fake site instead:

In addition to the incorrect URL, which implies that it starts with text facebook.contactSo if you are in a hurry it can be combined, there are no obvious spelling or grammatical errors.

Facebook’s experience and attention to detail means that the company probably wouldn’t have left the space before the word “If you think”And did not use unusual text Ex The word is short “Example”.

But we are willing to bet that some of you might not have noticed those errors, if we had not mentioned them here.

If you scrolled down (or there was more space for screenshots than we did), you might see another typo, content that Crooks added to try to make the page look helpful.

Or you may not – we’ve highlighted spelling mistakes to help you find it:

After that, the crooks asked for our passwords, which would not normally be part of this type of website workflow, but it is not entirely unreasonable to ask us to authenticate:

We have highlighted the error message “Secret number incorrect”What you type comes up, then the password page repeats, which accepts what you type.

This is a common tactic used nowadays, and we assume because a tedious old piece of cybersecurity advice is still pushing which says, “Deliberately enter the wrong password for the first time, which will expose scam sites immediately because they don’t know your real password and so they accept the fake.” Will be forced to do. ”

To be clear, this has never been good advice, at least when you’re in a hurry, because it’s easy to type a “wrong” password that is unnecessarily similar to your original password, such as replacing it. pa55word! With such a string pa55pass! Instead some unrelated things like 2dqRRpe9b.

Also, as this simple strategy makes clear, if your “caution” involves keeping an eye on the apparent failure after the apparent success, the villains have led you into a false notion of trivial security.

We further highlighted that the miscreants deliberately added a slightly annoying consent checkbox, only to give the experience a veil of official formality.

Now you have given your account name and password to crooks …

They immediately ask for the 2FA code displayed by your authentication app, which theoretically gives criminals within 30 seconds to minutes to use the one-time code in their own fraudulent Facebook login attempt:

Even if you don’t use an authentication app, but prefer to receive a 2FA code via text message, the rogue can send an SMS to your phone by starting to login with your password and then clicking the button to send you the code.

Finally, in another common tactic nowadays, criminals eventually soften the discount by redirecting you to a valid Facebook page.

This gives the impression that the process has ended without any problems to think about:

What do you do?

Don’t fall into this kind of scandal.

Do not use email links to access official “application” pages on social media sites. Learn where to go manually, and keep a local record (on paper or in your bookmarks) so you never have to use email web links, whether they’re real or not.
Check the email URL carefully. A link with text that looks like a URL in itself is not necessarily the URL that the link points you to. To find the link to the actual destination, hover over the link with your mouse (or touch and hold the link on your mobile phone).
Examine website domain names carefully. Each letter is important, and the business part of any server name is at the end (in European, the right side goes from left to right), not at the beginning. If I own the domain dodgy.example Then I can put any brand name of my choice in the beginning, e.g. visa.dodgy.example Or whitehouse.gov.dodgy.example. These are just subdomains of my fraudulent domain, and as incredible as any other part dodgy.example.
If the domain name is not clearly visible on your mobile phone, Consider waiting until you use a regular desktop browser, which usually has a lot more screen space to reveal the actual location of a URL.
Consider a password manager. Password managers associate usernames and login passwords with specific services and URLs. If you end up with a fraudulent site, no matter how credible it may seem, your password manager will not be deceived because it can recognize the site by its URL, not by its appearance.
Do not rush to enter your 2FA code. Use interruptions in your workflow (such as you need to unlock your phone to access the Code Generator app) to verify that URL a second time, to be sure, to be sure.