CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Facebook screen in the hands of a woman showing account takeover of Facebook profiles
Cyber SecurityNews
·4 min read

An Effective Account Takeover Trick Is Helping Scammers Steal Thousands of Facebook Profiles

Scott Ikeda·May 3, 2023

A new account takeover campaign is making the rounds on Facebook, and it is proving to be quite successful. At least 3,200 Facebook profiles are thought to have been nabbed in the attack thus far, as the scammers pose as Meta technical support and attempt to hijack browser cookies.

Account takeover campaign has been active since February

The account takeover scheme is essentially a phishing campaign, and research from Group-IB finds that it has been active since February and remains underway at present. The attackers will attempt to either hijack a user’s session via browser cookies, or will try to get the user to visit an external attack site, in both cases looking to take control of Facebook profiles.

The campaign appears to be targeting specific Facebook profiles, as the attackers look to jump from person to person in a bid to ultimately get access to high-profile individuals and businesses. It is a sophisticated and prolific effort, as these account takeover attempts have now been conducted in over 20 languages (though the majority thus far have been in English).

The scammers do not appear to be targeting specific types of information; celebrities, businesses, sports teams, assorted public figures, and individuals with links to those entities have all been targeted by what appear to be the same actors.

The attackers approach targets pretending to be a member of the Meta tech support team, using accounts that they have created that have a post history that makes it appear as if they are a legitimate employee. They also redirect victims to attack sites that are made up to look like legitimate Meta and Facebook pages, and make use of “lookalike” characters in their posts and job titles (such as a lowercase L in place of an I) to evade Facebook’s automated phishing and fraud defenses. Over 220 of these phishing sites have been observed in use in these account takeover attempts. Meta has been taking down the bogus Facebook profiles used in connection with these attacks, but they seem to continue to spring up.

The initial approach is not generally via direct message, however. Instead the attackers create a post aimed at grabbing the attention of the target, tagged in such a way that it will appear in their news feed or notifications. The post generally refers to pages that in turn contain links to the credential-capturing attack sites used for account takeover.

These initial target Facebook profiles almost always have some link to the real target, and the attackers leverage the connection to attempt to get the “big fish” to an account takeover site. The attackers may also repurpose this compromised account as a “Meta Business Services” figure, attached to some sort of account recovery or retrieval function, to use in future attacks.

Though Group-IB spotted the first Facebook profiles associated with these attacks in February of this year, the first pages linking to account takeover sites apparently went up in December 2020. Group-IB says that Facebook has been playing “whack-a-mole” with these pages since they first started appearing, often taking them down rapidly.

Facebook profiles stolen via fake account verification warnings

Account takeover targets may encounter one of two types of attack site when they follow the malicious links contained in the scammer’s pages and posts. The first is a straightforward attempt to get them to enter their login credentials, made up to look like a valid Facebook page that tells them their account is locked and they must sign in to address the issue. The second is a more complex page that asks the target to find and upload their cookie data to prove that they are not in violation of some sort of copyright, even providing a short video that contains instructions. This method allows for account takeover via session hijacking, as authentication for the current session will be embedded in the cookie information that is sent over.

Though the Facebook profiles and pages make use of mockups, logos and graphics that look legitimate, they can frequently be spotted by the use of poor grammar or odd word choices. One example that Group-IB provides says that the account has been “disable” after being “detected in suspicious violation” of platform policies.

Group-IB has unearthed a number of Facebook scams as of late, including a group that was using thousands of fake Facebook profiles to make fake offers of employment in North Africa and the Middle East. Bitdefender has also documented a malware campaign called “S1deload stealer” that specifically targets YouTube and Facebook profiles, something that criminals did not previously put much of an emphasis on.

James McQuiggan, Security Awareness Advocate at KnowBe4, notes that all social media users must be aware of the possibility that cyber criminals will target them for account takeover, even if they are not rich or famous: “Cybercriminals continually deceive their targets through stolen accounts or fake websites to steal user data or scrape information to create similar accounts with different email addresses behind them. They pretend to be that person and target the victim’s friends and family, essentially their trusted connections. These connections are the target for the cybercriminal, the trusted relationships, as a lot of the time, people will think, “I don’t have anything cybercriminals want.” However, they want those trusted connections to phish or socially engineer more people to steal more data and either sell the credentials or work towards a bigger phish. Users want to be skeptical of all email / social media message requests not expected from friends. Quite often, a video will appear in their social media messages that, when clicked, may contain malicious software intended to collect data, steal credentials or infiltrate more social media. Users must verify the message if they are unsure and unexpected.”

 

Tags
Account TakeoverFacebookFacebook Profiles
Scott Ikeda
Senior Correspondent at CPO Magazine
Scott Ikeda is a technology futurist and writer for more than 15 years. He travels extensively throughout Asia and writes about the impact of technology on the communities he visits. Over the last 5 years, Scott has grown increasingly focused on the future landscape of big data, surveillance, cybersecurity and the right to privacy.
Related
Backlit hand using tablet with abstract glowing digital skull showing bad bots and account takeover and API attacks
Cyber SecurityNews

Bad Bots Account For 30% Of Internet Traffic and Are More Frequent in Account Takeover and API Attacks

May 30, 2023
Meta logo on device screen showing FTC ban for Facebook children's privacy violation
Data PrivacyNews

FTC Weighs Full Ban on Facebook’s Ability to Monetize Data of Minors After Alleged Violation of Children’s Privacy

May 8, 2023
Facebook logo and money showing Cambridge Analytica scandal settlement
Data PrivacyNews

Cambridge Analytica Scandal Slowly Coming to a Close as Meta Agrees to $725 Million Settlement

January 4, 2023
Army of bots showing eCommerce retailers and account takeover, DDoS and API attacks
Cyber SecurityNews

62% of Security Incidents on eCommerce Retailers Originate from Bots, Including Account Takeover, DDoS and API Attacks

November 11, 2022
Hand holding smartphone, logging into Facebook
Cyber SecurityNews

Meta Found More Than 400 Malicious Apps Designed To Steal Facebook Login Information on Official App Stores

October 17, 2022
Frustrated coffee shop manager calculating figures in cafe showing Apple's privacy changes impact small businesses
Data PrivacyNews

Echoing Facebook’s Late 2020 Media Blitz, Small Businesses Complain of Steep Personal Costs From Apple’s Privacy Changes

September 8, 2022
Logo of TikTok in the reflection of a broken mirror showing TikTok hack and account takeover
Cyber SecurityNews

“One-Click” TikTok Hack Discovered That Put 2 Billion App Users at Risk, but No Reports Yet of Account Takeover in the Wild

September 8, 2022
Facebook social media app logo from Meta on mobile phone screen showing message encryption
Data PrivacyNews

Message Encryption Not Used in Nebraska Felony Abortion Case Involving Subpoena of Facebook Messenger

August 22, 2022

Latest

Criminal talking on the phone showing vishing attacks

Google Warns Salesforce Customers of Large-Scale Vishing Attacks

Google logo showing certificate authorities

Google to Distrust Two Certificate Authorities Over Compliance Issues

Hands typing on keyboard showing security incident

Victoria’s Secret Security Incident Shuts Down Lingerie Giant’s Systems

Cars waiting on the road showing vehicle security

Balancing Safety and Security in Software-Defined Vehicles

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases

© 2024 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    Data Breach U.S. Regulations Cyber Attack EU GDPR
    See all results