Network Wizkid

Date	Change Log
22/01/24	Updated the article with evidence that someone else tried to access the test account.

2024…and here I am still writing articles about Facebook scams. Unfortunately, Facebook still don’t appear to have the relevant controls in place to stop the number of scams that take place on their platform. However, the reality is, the bad guys are always coming up with new and creative ways to bypass existing Facebook security controls, making it difficult to stop scams reaching potential victims.

I’ve now come across another Facebook scam that I’ve not seen before and therefore is considered new for 2024. This scam is targeted at Facebook users that have created pages.

Let’s take a look and discuss the process in more detail below.

The Scam Process

Scam Summary

For those that are not interested in the finer detail, I’ll start with a summary of the scam.

Users that have created Facebook pages may receive a message to their page inbox stating that their page will be deleted due to a post that infringes on Facebooks trademark rights. The message comes from a user account (not Facebook) and includes a link to a page (not a Facebook link – DO NOT CLICK) that the user can click on to view the request. The idea is that the user panics and clicks on the link to view more information. Once the link is clicked, the user is taken to another webpage (not Facebook related) and asked to provide information about their themselves and account. The end goal is for the attackers to steal your account information and take over the account.

You can read the details below.

Scam Details

• The bad actor sends an email to the page and advises that the page will be deleted due to trademark right violations. This message will come from another Facebook user account and NOT from Facebook. See the screenshot below for an example of the message. Note that messages may slightly differ.

• If a user clicks the link, they are taken to a page that is not associated with Facebook however, it has been made to look like Facebook to trick the user. The page will ask for a number of details such as:
  • Login Email
  • Year of birth
  • Name
  • Phone Number

…and it will even give you a box to write your appeal. The key thing here is that all of this is fake and has been generated to steal your Facebook credentials. The bad actors will use these details to gain access to your account and the ‘Your appeal’ box is just simply a ploy to make the page look legitimate. You might be asking yourself: “How can they access my account with those details?” – Hold that thought for now because all will become clear in the next step.

• Providing that the user enters the details asked of them in the previous step, when they click the button ‘submit’, they are then asked to confirm their Facebook account details as shown in the screenshot below. !!!DO NOT DO THIS!!! – This is the whole point of the scam and how the bad actors will get access to your account. All the details that they ask for in the last step could be used by the bad actors to try and recover your account or provide Facebook with more details so that they could access the account, but the key bits of information are at this step – your email address and password that are associated with Facebook. Interestingly, when a user first enters their email address and password, regardless of whether it is right or not, it will initially flag as incorrect. I believe that this has been done on purpose to allow the user the enter their details twice. Both submissions are sent to the attackers, and it is likely to further validate your password to the attackers.

• And as if that wasn’t enough; should the victim unknowingly submit their email address and password, the next page will ask for you to upload your identification. !!!DO NOT DO THIS!!! – This is identity theft, and they will use this information to pose as you and prove to Facebook that they are you…when in fact they aren’t.

• At this point, I felt inclined to follow through with this scam to see through the whole process. !!!IF YOUR NOT A SECURITY PROFESSIONAL, I DON’T ADVISE THIS!!!

• I wanted to see how long it took the bad actors to take over a Facebook account once the details had been provided and so the first step was to create a fake Facebook account as shown below. I even added a funny photo to humour them.

• Once the Facebook account had been created, I could now continue with the scam process using my fake account. I also searched the Internet for a driving license that could be used as part of the process.

• Interestingly, when adding a photo ID, it appears as though it is uploaded straight away and then doesn’t allow the user to click ‘send’. I guess that’s all the information that the scammers need!

Conclusion

At the time of writing this, I was still yet to see attempts to breach my fake Facebook account. However, while conducting some more analysis, I could see that the URL that the bad actor had shared in the message was flagged as malicious and blocked by Cisco Talos. That said, some threat intelligence organisations had yet to pick this up and therefore, it may not flag as malicious to everyone. Furthermore, without the correct security controls in place, it is likely that these links won’t be blocked.

Therefore, it is important to ensure you are up to date with any security awareness training and you know some of the key things to look out for with scams and Phishing attempts. So of the common signs are:

1. Mismatched URLs:
   • Check the website’s URL for inconsistencies or misspellings. Phishing sites may use slightly altered URLs to mimic legitimate ones.
2. Unsolicited Emails:
   • Be cautious of unexpected emails, especially those requesting personal or financial information. Verify the sender’s identity before responding.
3. Urgency or Threats:
   • Phishing emails often create a sense of urgency or threat to prompt quick action. Be skeptical of messages that claim immediate action is required.
4. Generic Greetings:
   • Legitimate organizations usually address you by your name. Phishing emails may use generic greetings like “Dear Customer” or “Dear User.”
5. Spelling and Grammar Errors:
   • Phishing emails often contain spelling and grammar mistakes. Legitimate organizations typically have professional communication.
6. Unusual Sender Email Address:
   • Check the sender’s email address. Phishers may use email addresses that mimic legitimate ones but have slight variations.
7. Request for Personal Information:
   • Be suspicious of emails or messages requesting sensitive information like passwords, credit card details, or Social Security numbers.
8. Unsecured Websites:
   • Verify that websites requesting personal information use “https://” and display a padlock icon in the address bar. Avoid entering sensitive data on unsecured sites.
9. Unexpected Attachments or Links:
   • Avoid opening unexpected email attachments or clicking on links, especially from unknown sources. These may contain malware or lead to phishing sites.
10. Check the Salutation:
    • Phishing emails might use generic salutations like “Dear Customer” instead of addressing you by name.
11. Fake Logos and Branding:
    • Phishing sites may use copied logos and branding to appear legitimate. Verify the authenticity of the website by directly visiting the official site.
12. Unusual Email Requests:
    • Be cautious if an email requests actions that are unusual or inconsistent with normal procedures, such as changing passwords without a clear reason.
13. Misspelled URLs or Domain Spoofing:
    • Carefully inspect URLs for misspellings or variations. Phishers may use domain names that resemble legitimate ones to deceive users.
14. Hover Over Links:
    • Hover your mouse over links in emails to preview the destination URL. Verify that the actual URL matches the displayed link.
15. Check Email Headers:
    • Examine email headers for anomalies. Legitimate emails usually come from official domains, while phishing emails may have suspicious headers.

Have you been targeted by this scam? Let us know in the comments section and please share this article amongst your network to ensure that others are not impacted by this scam.

Updates

Approximately one week after writing this article, the test account that I created had received an access attempt from someone unknown. This further proves that this was a scam and an attempt to take over my test Facebook account.

Thankfully this request was flagged as suspicious, and the account also had multifactor authentication enabled. Therefore, the malicious actors weren’t able to access the account.