As most Facebook users frequently using Facebook in their smartphone are prone to fall for new
phishing scam. And users are suggested to be more careful (especially Facebook users).
This new phishing depends on the issue that the mobile browsers have very small URL address bars, which limit the user from seeing the whole content of the URL. By taking advantage of this issue, attackers were able to pad URLs with Sub-domains and hyphens, which make URLs seem real on mobile devices, but in reality, it will redirect them to the attacker’s site (scam).
The attacker can/will use URL something like the following:
http://m.facebook.com—————-validate—-step1.rickytaylk[dot]com/sign_in.html
The actual domain of the previous website is “rickytaylk.com”, and not “m.facebook.com”. That happened because the mobile browser will display only the first part of the URL, users will see only the “m.facebook.com” part, followed by an endless stream of hyphens.
The redirection is only possible if user logged out of the Facebook app. It is always advisable to check the URL before clicking it and not to fall for phishing.
