How do you steal 1 million Facebook account credentials?
A large-scale phishing scam used Facebook Messenger to potentially impact millions of Facebook users.
by Aspire Technology Partners Cybersecurity Team
We see unusual emails in our inboxes daily. Many are easily identified when we see poor grammar or incorrect spelling. Yet phishing attacks are still successful, providing access to secure accounts every day. In some instances, these social engineering attacks trick a user into revealing sensitive information like login credentials, in other cases, they provide direct access to banking and other financial accounts.
“People often underestimate the value of their social media accounts, failing to enable MFA and otherwise protect their accounts from cybercriminals. Unfortunately, when bad actors take over an account, it is often used to attack their own friends and family,” said Erich Kron, security awareness advocate at KnowBe4. “Through the use of a real account that has been compromised, bad actors will use the trust inherent in a known connection to trick people into taking actions or risks they normally would not.”[i]
How It Happened
The recent attack on Facebook used a fake login page as a stand-in for the social network site’s landing page. Researchers found a reference to the actual server hosting the database collecting the users’ credentials was modified from a legitimate URL that led to a series of redirects. There was also a link to a traffic monitoring application that allowed the anti-phishing company to view tracking metrics. The researchers not only uncovered the traffic information from the attackers but also found numerous other fake landing pages.
The group utilized a technique that leverages a completely legitimate app deployment service as the first link in the redirect chain triggered by the user clicking the link. Once clicked the user is then redirected to the actual phishing page. Facebook only sees the link generated by the legitimate service that they could not block without blocking legitimate apps and links. The campaign cycled through different phishing pages to avoid detection by security technologies.
“Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID,” the researchers write. “We would often observe several used in a day, per service…. The use of these services allows the threat actors’ links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor.”[ii]
Avoiding Phishing Attacks
Cybercriminals use a variety of methods to try and trick users into giving up the store, their access credentials. It’s become a very lucrative venture for bad actors. They design some very ingenuous tricks to get past existing filters and security techniques.
Here are suggested ways to prevent a successful attack:
- Avoid clicking any link that appears suspicious. The link may be in an email, direct message app or even appear in a text message. These attacks use social engineering, preying on our curiosity and desire to see what’s behind a link.
- Security awareness training, best practices and an integrated security model can prevent many scams from stealing your credentials. In the end it’s up to each of us to keep a watchful eye on unexpected and unanticipated links regardless of how they arrive.
- Read the entire message, do you recognize the sender? Did you expect the message? Check for grammar errors or incorrect spelling within the message or URL as your first line of defense.
- Hover your mouse over a hidden link to reveal the true destination for your errant click. Is the destination URL what you expect? Is it a shortened link sending you to a site that may or may not be legitimate?
- When in doubt check with your support team to see if they can recommend a decoder for the shortened URL. (If not, you can search for one on your own.) That will show you the true destination of the URL.
- Does the message include an attachment? Are you expecting one from this sender?
Another way to avoid having your account compromised is to add multi-factor authentication (MFA) to every account where it’s an option. MFA comes in a variety of flavors, some use independent apps while others use your email address or text to send a code. Using your mail may not be the best choice if your mail account is compromised. Text messaging or security app may provide more peace of mind. When you receive an unexpected notification from your selected MFA method, respond immediately to protect your account.
Contact one of our Cybersecurity experts to see how we can help build a well-rounded cybersecurity posture.
A large-scale phishing scam used Facebook Messenger to
potentially impact millions of Facebook users.
We see unusual emails in our inboxes daily. Many are easily identified when we see poor grammar or incorrect spelling. Yet phishing attacks are still successful, providing access to secure accounts every day. In some instances, these social engineering attacks trick a user into revealing sensitive information like login credentials, in other cases, they provide direct access to banking and other financial accounts.
“People often underestimate the value of their social media accounts, failing to enable MFA and otherwise protect their accounts from cybercriminals. Unfortunately, when bad actors take over an account, it is often used to attack their own friends and family,” said Erich Kron, security awareness advocate at KnowBe4. “Through the use of a real account that has been compromised, bad actors will use the trust inherent in a known connection to trick people into taking actions or risks they normally would not.”[i]
How It Happened
The recent attack on Facebook used a fake login page as a stand-in for the social network site’s landing page. Researchers found a reference to the actual server hosting the database collecting the users’ credentials was modified from a legitimate URL that led to a series of redirects. There was also a link to a traffic monitoring application that allowed the anti-phishing company to view tracking metrics. The researchers not only uncovered the traffic information from the attackers but also found numerous other fake landing pages.
The group utilized a technique that leverages a completely legitimate app deployment service as the first link in the redirect chain triggered by the user clicking the link. Once clicked the user is then redirected to the actual phishing page. Facebook only sees the link generated by the legitimate service that they could not block without blocking legitimate apps and links. The campaign cycled through different phishing pages to avoid detection by security technologies.
“Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID,” the researchers write. “We would often observe several used in a day, per service…. The use of these services allows the threat actors’ links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor.”[ii]
Avoiding Phishing Attacks
Cybercriminals use a variety of methods to try and trick users into giving up the store, their access credentials. It’s become a very lucrative venture for bad actors. They design some very ingenuous tricks to get past existing filters and security techniques.
Here are suggested ways to prevent a successful attack:
- Avoid clicking any link that appears suspicious. The link may be in an email, direct message app or even appear in a text message. These attacks use social engineering, preying on our curiosity and desire to see what’s behind a link.
- Security awareness training, best practices and an integrated security model can prevent many scams from stealing your credentials. In the end it’s up to each of us to keep a watchful eye on unexpected and unanticipated links regardless of how they arrive.
- Read the entire message, do you recognize the sender? Did you expect the message? Check for grammar errors or incorrect spelling within the message or URL as your first line of defense.
- Hover your mouse over a hidden link to reveal the true destination for your errant click. Is the destination URL what you expect? Is it a shortened link sending you to a site that may or may not be legitimate?
- When in doubt check with your support team to see if they can recommend a decoder for the shortened URL. (If not, you can search for one on your own.) That will show you the true destination of the URL.
- Does the message include an attachment? Are you expecting one from this sender?
Another way to avoid having your account compromised is to add multi-factor authentication (MFA) to every account where it’s an option. MFA comes in a variety of flavors, some use independent apps while others use your email address or text to send a code. Using your mail may not be the best choice if your mail account is compromised. Text messaging or security app may provide more peace of mind. When you receive an unexpected notification from your selected MFA method, respond immediately to protect your account.
Contact one of our Cybersecurity experts to see how we can help build a well-rounded cybersecurity posture.
[i] Facebook Phishing Scam Steals Millions of Credentials, Stu Sjouwerman, KnowBe4 Security Awareness Blog – June 13, 2022 (https://blog.knowbe4.com/facebook-phishing-scam-steals-millions-of-credentials)
[ii] Facebook Phishing Scam Steals Millions of Credentials, Stu Sjouwerman, KnowBe4 Security Awareness Blog – June 13, 2022 (https://blog.knowbe4.com/facebook-phishing-scam-steals-millions-of-credentials)
Additional Source:
Stone, B. (2022). A cybercriminal stole 1 million Facebook account credentials over 4 months. TechRepublic. Retrieved from https://www.techrepublic.com/article/a-cybercriminal-stole-1-million-facebook-account-credentials-over-4-months/
