Security News > 2022 > July > Facebook 2FA phish arrives just 28 minutes after scam domain created
At 19 minutes after 3 o'clock UK time today , the criminals behind this scam registered a generic and unexceptionable domain name of the form control-XXXXX.com, where XXXXX was a random-looking string of digits, looking like a sequence number or a server ID:. 28 minutes later, at 15:47 UK time, we received an email, linking to a server called facebook.
We've highlighted the error message "Password incorrect", which comes up whatever you type in, followed by a repeat of the password page, which then accepts whatever you type in.
This is a common trick used these days, and we assume it's because there's a tired old piece of cybersecurity advice still knocking around that says, "Deliberately put in the wrong password first time, which will instantly expose scam sites because they don't know your real password and therefore they'll be forced to accept the fake one."
Even if you don't use an authenticator app, but prefer to receive 2FA codes via text messages, the crooks can provoke an SMS to your phone simply by starting to login with your password and then clicking the button to send you a code.
If the domain name isn't clearly visible on your mobile phone, consider waiting until you can use a regular desktop browser, which typically has a lot more screen space to reveal the true location of a URL. Consider a password manager.
Password managers associate usernames and login passwords with specific services and URLs.