A new account takeover campaign is making the rounds on Facebook, and it is proving to be quite successful. At least 3,200 Facebook profiles are thought to have been nabbed in the attack thus far, as the scammers pose as Meta technical support and attempt to hijack browser cookies.
Account takeover campaign has been active since February
The account takeover scheme is essentially a phishing campaign, and research from Group-IB finds that it has been active since February and remains underway at present. The attackers will attempt to either hijack a user’s session via browser cookies, or will try to get the user to visit an external attack site, in both cases looking to take control of Facebook profiles.
The campaign appears to be targeting specific Facebook profiles, as the attackers look to jump from person to person in a bid to ultimately get access to high-profile individuals and businesses. It is a sophisticated and prolific effort, as these account takeover attempts have now been conducted in over 20 languages (though the majority thus far have been in English).
The scammers do not appear to be targeting specific types of information; celebrities, businesses, sports teams, assorted public figures, and individuals with links to those entities have all been targeted by what appear to be the same actors.
The attackers approach targets pretending to be a member of the Meta tech support team, using accounts that they have created that have a post history that makes it appear as if they are a legitimate employee. They also redirect victims to attack sites that are made up to look like legitimate Meta and Facebook pages, and make use of “lookalike” characters in their posts and job titles (such as a lowercase L in place of an I) to evade Facebook’s automated phishing and fraud defenses. Over 220 of these phishing sites have been observed in use in these account takeover attempts. Meta has been taking down the bogus Facebook profiles used in connection with these attacks, but they seem to continue to spring up.
The initial approach is not generally via direct message, however. Instead the attackers create a post aimed at grabbing the attention of the target, tagged in such a way that it will appear in their news feed or notifications. The post generally refers to pages that in turn contain links to the credential-capturing attack sites used for account takeover.
These initial target Facebook profiles almost always have some link to the real target, and the attackers leverage the connection to attempt to get the “big fish” to an account takeover site. The attackers may also repurpose this compromised account as a “Meta Business Services” figure, attached to some sort of account recovery or retrieval function, to use in future attacks.
Though Group-IB spotted the first Facebook profiles associated with these attacks in February of this year, the first pages linking to account takeover sites apparently went up in December 2020. Group-IB says that Facebook has been playing “whack-a-mole” with these pages since they first started appearing, often taking them down rapidly.
Facebook profiles stolen via fake account verification warnings
Account takeover targets may encounter one of two types of attack site when they follow the malicious links contained in the scammer’s pages and posts. The first is a straightforward attempt to get them to enter their login credentials, made up to look like a valid Facebook page that tells them their account is locked and they must sign in to address the issue. The second is a more complex page that asks the target to find and upload their cookie data to prove that they are not in violation of some sort of copyright, even providing a short video that contains instructions. This method allows for account takeover via session hijacking, as authentication for the current session will be embedded in the cookie information that is sent over.
Though the Facebook profiles and pages make use of mockups, logos and graphics that look legitimate, they can frequently be spotted by the use of poor grammar or odd word choices. One example that Group-IB provides says that the account has been “disable” after being “detected in suspicious violation” of platform policies.
Group-IB has unearthed a number of Facebook scams as of late, including a group that was using thousands of fake Facebook profiles to make fake offers of employment in North Africa and the Middle East. Bitdefender has also documented a malware campaign called “S1deload stealer” that specifically targets YouTube and Facebook profiles, something that criminals did not previously put much of an emphasis on.
James McQuiggan, Security Awareness Advocate at KnowBe4, notes that all social media users must be aware of the possibility that cyber criminals will target them for account takeover, even if they are not rich or famous: “Cybercriminals continually deceive their targets through stolen accounts or fake websites to steal user data or scrape information to create similar accounts with different email addresses behind them. They pretend to be that person and target the victim’s friends and family, essentially their trusted connections. These connections are the target for the cybercriminal, the trusted relationships, as a lot of the time, people will think, “I don’t have anything cybercriminals want.” However, they want those trusted connections to phish or socially engineer more people to steal more data and either sell the credentials or work towards a bigger phish. Users want to be skeptical of all email / social media message requests not expected from friends. Quite often, a video will appear in their social media messages that, when clicked, may contain malicious software intended to collect data, steal credentials or infiltrate more social media. Users must verify the message if they are unsure and unexpected.”