Mobile-focused phishing attacks attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers, a technique known as “URL padding”.
URL padding puts dozens of hyphens in the Web address of a malicious webpage with the address of a legitimate website, this
The phishing attacks target primarily Facebook and use legitimate domain names that have been compromised. The attack is focusing specifically on mobile users, as they use the same URL for the mobile versions of the sites they target
Part of the reason for the effectiveness of the attack is that if the site is delivered via an SMS link, it’s not possible to check the legitimacy of the site before tapping it. And once the victim reaches the spoofed site, the URL padding obscures the true address of the site long enough for many (if not most) mobile device users to fall for the login request.
For further details check the article on ARS Technica