A New Facebook Phishing Technique Named “URL Padding” Is Here To Steal Your Password

By exploiting the inattentiveness of the users, a new kind of phishing attack is expanding its web to target Facebook users. So, let me explain to you about this attack in details.

What happens immediately your password is stolen..😭😨😧😱

What is URL Padding phishing?

The notorious hackers have found a new way to fool the users by creating fake and believable URLs. Focused on mobile devices, which have narrow URL bars, the hackers are using real domains within a larger URL. They are padding the larger URL with hyphens to hide the real destination in the address bar.

The tactics targets the mobile users and fools them by making the deceptive links look authentic. As a result, casual users end up visiting the web page and leaking their login credentials.

By exploiting the inattentiveness of the users, a new kind of phishing attack is expanding its web to target Facebook users and other websites like financial institution, or any site that houses a lot of your details. So, let me tell you about this attack in details.

Let me show you how it’s being done (Courtsey:Phishlabs). For example, take a look at the following URL:

hxxp://m.facebook.com—————-validate—-step9.rickytaylk[dot]com/sign_in.html

You’ll note that while this URL starts with m.facebook.com, which is the legitimate address of your favorite website, the actual domain is rickytaylk(dot)com. Taking this dirty game even a step ahead, the hackers are also using words like login, secure, account, validate, etc. just after the series of hyphens.

Now, if we put this whole URL in a mobile browser’s address bar and add a Facebook logo as rickytaylk(dot)com’s favicon, it’ll look pretty convincing. All that remains is fake Facebook login page to capture username and password.

The hackers are also using similar type of genuine-looking URLs and login pages for iCloud, Gmail, and Bank Sites which reminds me of Fappening leaks, Comcast, Craigslist, etc.

How to save yourself from URL Padding Facebook phishing attack?

As pointed out by the researchers, Facebook accounts are becoming the biggest targets. Also, as compared to desktop, users treat mobile phones differently.

Phishlabs has mentioned the possibility of the propagation of this attack using SMS phishing or social messenger. As people assume that SMS and social media posts are a legitimate source of communication.

The researchers have urged the users to stop for a moment before clicking a link or following instructions. Facebook or any other service won’t send you login links via SMS or other sources. Also, don’t click on links sent to you via unknown people.

Four of my friends have fallen victims to this hacking methods in the last few weeks, while I was able to recover two of the facebook accounts, two were lost to the hackers. You are the best protector of your accounts and details, be very observant and attentive to details of what you want to do while online and at home…


Thanks, have a great weekend…
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.