Those who fail to pay attention are often the first to succumb to new hacks and scams — and if you regularly use Facebook, which is more likely than not, then you may need to start paying more attention.
This is especially true if you prefer mobile to desktop.
Scammers, having noted that mobile traffic is now greater than PC traffic on a worldwide scale, are starting to adapt their techniques to take advantage of mobile users. And seeing as how mobile devices tend to be less protected than PCs, this is a winning move for them.
Keep reading to learn more about how this new scamming technique works, what to look out for, and how you can stay secure going forward.
How the Facebook Login Scam Works
The scam uses a technique called URL padding. A typical URL is composed of three parts:
- A domain (required)
- A subdomain (optional)
- A path (optional)
As a mobile user, you’ve no doubt seen m.facebook.com in your browser’s address bar while using Facebook. This is the subdomain + domain combination that shows you’re on the mobile version of Facebook’s site. When you see it, you feel safe.
URL padding is when a scammer creates a subdomain on an entirely different domain to impersonate some site, and “pads” the subdomain with innocuous characters to make users think they’re on the actual site.
Here’s an example URL from PhishLabs:
Visiting the site presents you with an exact replica of the actual mobile version of Facebook’s homepage, asking you to enter your credentials so you can log in. A knowledgeable-but-inattentive user might glance at the URL, see m.facebook.com, consider the coast clear, and sign in.
Once you enter your credentials, the game is over. The site will present an inconspicuous error (e.g. password mismatch) but the damage will already be done: they’ve stored your username and password, and can now access your real Facebook account or use those credentials to try to break into your other accounts: Gmail, Amazon, PayPal, banks, etc.
Keen readers will note that the actual domain of this suspicious URL is rickytaylk.com and it has three nested subdomains under it:
You’d probably see it as an obviously scammy URL if you were to encounter it on a PC, but here’s what a mobile user would see:
Padded URLs can be sent through all kinds of communication methods: email, text messages, messenger apps, and more.
The sad thing is, fake URLs are nothing new. Earlier this year, an exploit was discovered in Chrome (and other Chromium-based browsers) where URLs could be modified to appear as other URLs. Fortunately, the bug was patched before scammers could go to town with it but shows that trusting a URL is nothing but foolish.
How to Secure Your Facebook Account
The only way to guard against a padded URL is to learn how to spot phishing messages, and more importantly, only visit sensitive websites by typing domains directly into your browser’s URL bar.
It’s a minor inconvenience, but worthwhile. I do it all the time, especially when checking bank accounts and using e-commerce sites. Over time it’ll be second nature and your rate of being scammed will plummet.
What if you’ve already fallen for it? Or what if someone, by some other means, gets their hands on your Facebook login credentials? Here are a few extra things you can do to stay secure.
Use Unique Passwords
One of the worst password mistakes is using the same password for all of your accounts.
You know how most services require an email to sign up? Well, if you’re like most people, you use the same email address for all services. In that case, if someone figures out your password for one account, then they now inadvertently have access to all of your accounts.
By using a separate password for every account and never repeating them, you can limit the damage considerably. Don’t think you can keep all of those passwords straight in your head? Start using a password manager and you’ll never have to worry about passwords again.
Use Login Approvals and Codes
Perhaps the best thing you can do for your Facebook security is to enable two-step verification. With two-step verification enabled, you can add extra layers of protection with Login Approvals and Code Generator.
With Login Approvals, Facebook sends an SMS text message to your phone whenever someone tries logging in to it. The text message contains a numeric code that must be entered to grant access. Even if someone has your password, they won’t be able to log in if they don’t have your phone as well.
Code Generator is a similar feature that exists in the Facebook mobile app. The app itself generates a code that must be entered to log into Facebook from another device. It’s a good alternative when you don’t have an internet connection or SMS texting.
Use U2F Security Keys
A U2F security key is a physical device that resembles a USB flash drive. Instead of tying two-step verification to your phone (as with Login Approvals and Code Generator), you confirm logins by plugging the U2F key into the device you’re logging in with.
Facebook isn’t the only site that supports U2F — others include Gmail, YouTube, WordPress, GitHub, and the list is growing — but you’ll need to use Chrome or Opera for it to work.
Thetis U2F Security Key is an affordable one that you can grab off Amazon (you only need one key per person), but there are more expensive ones with more features. For example, the YubiKey NEO supports NFC so you can just tap it (good for smartphones and tablets).
Note: Be careful when using Login Approvals, Code Generator, and U2F security keys. If you ever lose your second-step authenticator (i.e. your phone or U2F key), account recovery can be a nightmare.
More Tips for Avoiding Scams on the Web
Malware is a big risk too, so stay on top of preventing and removing Facebook malware and viruses.
Have you encountered URL padding on Facebook? How do you keep your Facebook account secure? Share with us in a comment below!
Image Credit: Brian A Jackson via Shutterstock.com