Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

  • Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
  • With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

  • Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:

more details: How social media scammers buy time to steal your 2FA codes