Facebook users are being warned about a surge in password takeover attacks targeting the platform’s 3 billion active monthly users. Security researchers say these attacks are becoming more sophisticated, using techniques that make phishing nearly impossible to spot.
The attacks rely on a method called browser-in-the-browser. This creates a fake login pop-up that looks identical to the legitimate Facebook authentication window but is actually designed to steal passwords. Attackers often send emails claiming to be from a legal firm, warning about copyright infringement or other urgent matters. The emails include links that lead users to the fake login pages.
According to Mark Joseph Marti, a senior researcher at the Trellix Advanced Research Center, the attacks exploit users’ trust in their browsers. “The technique works by creating an entirely custom-built, fake window within the victim’s legitimate browser window,” he said, “making it nearly indistinguishable from a genuine authentication pop-up.”
Tim Ward, CEO at Redflags, emphasized the danger of these scams. “Attackers deliberately target people at moments when they’re conditioned to act quickly rather than cautiously,” he said, noting that users often click links out of fear or urgency.
Experts advise users to pause and verify before taking any action. Always log in to Facebook through the official app or website instead of clicking links in emails or messages. From there, users can check whether any warning or action is genuine.
Facebook has directed users to its official help page for guidance on protecting their accounts. The key takeaway: stay alert, verify every message, and never rush to click unknown links.
Follow on Google News
