Facebook’s parent company, Meta, has found more than 400 credential stealing applications spoofing its login API within the last year.
The Facebook login API is essentially a tool that app makers and developers can use to extract data (with your consent) from you Facebook account. The most common use of this is for single sign on. This is where when you are signing up for a service and you are offered the ‘Continue with Facebook’ option.
Malicious apps have been fraudulently spoofing this page in an attempt to steal your Facebook login details. This means that when you are pressing this button, you are being directed to a page that looks identical to the Facebook one but is actually connected to the attackers servers. Any entered details were then sent through to the to the attacker.
These applications require you to create an account before you are able to use them.
Meta will notify around 1 million users that they believe could have been compromised through one of these attacks.
You may be thinking, what can I do to protect myself from attacks like this?
The first step to protecting yourself is to be cautious about where you download your apps from.
When downloading new apps there are some key questions you should be asking yourself.
- Has it come from a reputable developer (such as Google, Microsoft etc)?
- Has the app got many downloads?
- Has the app got good reviews?
- If it has none of these, can you find an alternative app from a trusted developer with the same function?
The next step is upon opening the app determining if it should be asking you to create an account.
For some services it would make sense to require an account for as you need a personal account, such as a social
However, applications that perform a generic function (such as games or a flashlight) would not need you to be identifiable.
If you are required to create an account, it is important to always create an account with a strong unique password, and enable multifactor authentication.
If you have further questions or would like to speak to one of our experts about security for your business please contact us here.