Facebook announced that it is extending the capabilities of its Certificate Transparency Monitoring tool to make it easier for developers to catch phishing scams using their domains.
Phishing scams are an annoying part of life on the Internet, and they are getting more and more sophisticated, leading to more people falling for them every day. As they are shut down, scammers are constantly finding new ways to deceive. Here are a few examples, using the Facebook.com domain.
- Scammers could use different characters to make a “construct a malicious domain that looks similar to a legitimate domain.” This is what’s called a “homograph attack.” For example,
- faceb00k[.]com: the letter “o”s in “facebook” are replaced by the number “zero”
- facebook[.]com: the letter “о” is actually the Cyrillic small letter “o” (0x43E), not the Latin “o” (0x6F)
- They could “combine recognisable brand names with other keywords to create fake domains.” This is what’s called “combo squatting.” For example,
- They could “take advantage of small screens on mobile devices which cannot display the full domain.” For example,
- They could use common misspellings or typos, aka “typo-squatting”
To make the domains look more legit, scammers will even get valid security certificates, to trick browsers into showing the “secure” indicator padlock. Thus, it’s not enough to check whether a site has https nowadays, before entering personal details like address, credit card numbers etc.
In a post this week, Facebook engineers David Huang, Bartosz Niemczura and Amy Xu announced that the company is extending the capabilities of its Certificate Transparency Monitoring tool so that website owners can be notified when domains are “maliciously created to implement phishing attacks” at their expense.
The tool will monitor when certificates are issued for a domain and notify owners or the rightful domain of a potential scam, so that they can take action fast, and protect their users.
As the engineers explain, “every time a new certificate appears in any public Certificate Transparency Log, our tool analyzes the domains specified by the certificate for phishing attempts by taking into consideration the most common spoofing techniques.” The tool can notify subscribers by “email, push, or on-site notifications, depending on their preference.” All you have to do to enable your free phishing domain monitoring service visit: developers.facebook.com/tools/ct/subscriptions
Finally, Facebook is also extending its Webhook API to allow developers integrate the phishing detection feature into their own systems. Simply follow the steps described in the documentation to set it up.
You might also like
More from Facebook
Facebook is celebrating the five years of Marketplace with more features that help people shop more easily and responsibly on …
Facebook is making a big expansion into building the metaverse with the creation of 10,000 new jobs at Facebook across …
Instagram is bringing Reels Ads placements to its Marketing API, available on all current Marketing API versions - without an …
Ahead of the holiday shopping season, Facebook has announced daily Live Shopping experiences and the return of #BuyBlack Friday.
Facebook has announced the date for its 2021 Communities Summit to bring together community builders, announce new features, and more.
Facebook is launching new initiatives for Horizon creators, including a new $10M Creator Fund to support the creator and developer …
Facebook is testing a new option allowing users to share a post with multiple groups at once, contradicting to past …
Facebook Messenger partnered with Dr. Papadopoulos to help users maintain emotional well-being through Messenger’s privacy features.