Cybercriminals masquerading as Facebook technical support workers have been spotted trying to hijack accounts belonging to high-profile users, it has been revealed today.
In a blog announcement shared on April 25, Group-IB claimed it detected the orchestrated phishing campaign in February and March, discovering more than 3,200 fake Facebook profiles, of which 1,200 contained scam posts purportedly written by Meta’s technical support team.
The posts were intended as decoys to deploy a classic social engineering technique – persuading the victim to take urgent action to prevent their account from being ‘closed’ by clicking on a malicious link.
“This scam campaign sees the threat actors use social engineering tactics to trick users into thinking that their account is marked for suspension due to a copyright violation, and that they need to verify their profile to prevent it from being blocked,” said Group-IB.
Screenshotted examples of the bogus posts shared by the analyst included the also classic telltale giveaways – namely poor grammar, with one message declaring “Your Account will be Disable [sic].”
A tale of two evils
“After clicking on the Continue button, the victim is redirected to one of two types of phishing pages,” said Group-IB.
The first is the lesser of two evils, what the analyst describes as “a traditional phishing page, that prompts the user to enter their account login credential and password under the guise that they are verifying their account to prevent it from being blocked.”
But the second has far worse potential consequences if the victim falls for the deception, with account takeover the likely end result.
“The second type of phishing site instructs the user to share their user and cookie data with the scammers in order to appeal against the fake copyright violation and retrieve their account,” said Group-IB.
“The page also features a video that instructs the user how to access their cookie data and enter it on the page. By doing this, the victim opens themselves up to a session hijacking attack.”
Celebrity scalps targeted
While it did not disclose any names, Group-IB claims the campaign – which it said has so far either created or compromised close to a thousand Facebook profiles – had the ultimate goal of hijacking social media accounts belonging to more illustrious users, such as politicians, celebrities, musicians, and influencers.
“In this campaign, the scammers have set their sights on a broad range of individuals and business enterprises,” said the analyst. “Public figures such as politicians, celebrities, musicians, and influencers are among the primary targets, along with sports teams and public organizations. The real danger in this phishing campaign lies in its potential reach.”
It added: “The number of victims can increase exponentially because the followers of a particular page – those who subscribed before the account was taken over by the scammers – are converted into potential victims following account takeover.”
Further evidence of the campaign’s wide-ranging ambitions was found in the linguistic breakdown of fake postings: although nine-tenths were in English, other languages including Mongolian (2.5%), Arabic (2.3%), and Italian (0.8%) were also tallied by Group-IB.
What you can do
To protect against such attacks, the analyst recommends that users adopt two-factor authentication on their Facebook accounts, “to provide an extra layer of security that can stop scams such as this” and double-checking the URLs of any web pages they are led to. This can help potential victims weed out any domain names containing spelling errors.
Sharef Hlal, in charge of Group-IB’s digital risk protection analytics team, warned that account takeover puts victims, famous or otherwise, at severe risk.
“Individuals can suffer legal and reputational damage if their account is compromised and suspicious content is posted on it,” he said. “The threat actors could also gain access to the victim’s financial services accounts, should the login and password for these types of accounts be the same as the profile that has been compromised.”
Perhaps worst of all in cases where a high-profile target has been affected, crooks can also “hold compromised accounts for ransom, demanding payment from the victim for retrieval of the account.”
Your email address will not be published. Required fields are markedmarked