Hackers Are Stealing Facebook Accounts With Malicious Messenger Bots

Researchers at Trustwave have shed light on a recently discovered phishing campaign revolving around Facebook Messenger bots.

If you don’t spend much time on social media, chatbots are programs designed to impersonate live people and are usually relegated the task of answering simple questions as a form of triage customer support.

If the bot can’t answer the question, then a handoff escalation is made to a human customer support person.

That’s how it’s supposed to work, anyway.  This newly discovered campaign abuses chatbots.

Here’s how they’re structuring the campaign:

The first step is to send an email out to an individual concerning their Facebook page, generally claiming that the page has violated some portion of Facebook’s Community Standards and giving the email recipient 48 hours to appeal the decision or risk their page being deleted.

Naturally, this is mortifying to most people, who will rush to resolve the issue.

That’s exactly what the phishers are counting on.  By “helpfully” providing a link or button embedded in the email which connects them to a chatbot, but one that the scammers control.

By all appearances, the email recipient is connected to a member of Facebook’s customer support team.  It is in fact a chatbot controlled by the scammers.

The fake customer support person will basically regurgitate the information contained in the email and then will send the victim a message containing an “Appeal Now” button.

Clicking this button takes the victim to a website disguised as the “Facebook Support Inbox.” At this point, only an observant potential victim will see through the ruse as the inbox domain is in no way associated with Facebook. Others may easily miss it.

If the victim doesn’t see through the ruse, he or she will be asked to input a variety of information on a form.  When this form is submitted, a pop-up box appears asking the user to re-enter their Facebook password, and that’s the hook.

Everything up to this point has been bait designed to get the potential victim to give up their password.

Even if you’re not personally on Facebook, make sure everyone you know who is knows about this scam.  If we can help even one person avoid being taken in, that’s a victory.

Massive Phishing Attack Scammed Millions Of Facebook Messenger Users

According to research conducted by the cybersecurity firm PIXM, there is a massive phishing campaign that peaked in April and May of this year (2022) and it is still ongoing.

The campaign has lured millions of unsuspecting users to phishing pages by abusing Facebook and Facebook Messenger and tricking users into entering their account credentials.

Worse, the hackers then used those credentials to send additional phishing messages to friends of the affected users, luring them in as well and continuing the chain.

All told, the group behind the attack has been able to generate millions of dollars in revenue using these tactics.

Worst of all is that PIXIM’s research shows that this has been a long running campaign.  Although the group has only recently discovered it, the evidence they’ve uncovered shows that the campaign has been ongoing since at least September of 2021.

The group’s research is ongoing but so far they’ve found more than four hundred Facebook accounts tied to the campaign, which contain hooks to phishing pages.  Some of these poisoned profile pages have only been viewed a few thousand times. In other cases, they boast millions of views and of course, each view represents another potential victim.

Based on what the group has been able to piece together, they determined that in 2021 a total of 2.7 million users had visited one of the phishing pages. As of today, more than 8.5 million people have been lured to the phishing pages with no clear end in sight.

While this represents a tiny fraction of the total number of Facebook users on the platform, it is nonetheless a massive campaign.  If you’re a regular Facebook user, stay vigilant.  There are groups out there right now that are actively trying to lure you in and steal your data.  Don’t let that happen to you, your family, friends, or your coworkers.

This New Malware Wants To Steal Your Data

A nasty new malware strain has recently been spotted in the wilds by researchers at zScaler.

Dubbed “BlackGuard” the malicious code has been found on a variety of Russian underground Blackhat forums.  It is offered as a service and anyone criminally minded can access the code for the bargain price of just $200 a month.

Because the malware is quite new the yet unknown authors are also selling lifetime subscriptions for just $700 in a bid to rapidly grow the code’s user base and get their name circulating in the global hacking community.

BlackGuard isn’t an inherently destructive form of malware. It is classified as an Infostealer and its main purpose is to harvest as much valuable information as possible when it lands on a target system.

Most Infostealers tend to be somewhat generalized while siphoning up data ranging from OS details, network traffic statistics, users’ contact lists and of course, harvesting various login credentials (with a preference for account details users use to log into various financial institutions). BlackGuard’s focus is a bit different.

zScaler reports that this code steals any login credentials stored in whatever web browser the user has along with that user’s browsing history, email client data, any autofill content, and all conversations in messenger software.

In addition to that, it also targets login credentials and other account information for popular Messengers including Tox, Element, Discord, Signal, and Telegram.  If that wasn’t bad enough, BlackGuard is also designed to pilfer cryptocurrency wallet information including wallet browser extensions for both Microsoft Edge and Google Chrome.

The zScaler team remarked that although BlackGuard’s capabilities are not yet as broad based as many Infostealers, the malicious code is extremely well-designed. It’s clear that the developers know what they’re doing, and they seem to have a well-crafted plan to grow the popularity of their new creation.

Keep an eye on this one.  We’re almost certain to hear more about it in the months ahead.

This Android Malware Will Steal Your Facebook Credentials

Do you have an Android device?  Even if you don’t, you know someone who does.

Google is incredibly good at spotting poisoned copies of apps on its Play Store and getting rid of them before they can spread to the devices of users who rely on the safety and security offered by the Play Store.

As good as they are, they’re not perfect and sometimes malicious code masquerading as a legitimate app can slip through the company’s impressive filtering system.

Recently, the company discovered that an Android app that has more than 100k installs contains a trojan called “FaceStealer” which displays a Facebook login screen that requires users to log in before they can make use of the app.

Although the Facebook login prompt looks official, it is not and all a user accomplishes by entering their login credentials is to give those credentials to the hackers that control the code.  Given that millions of people around the world use their Facebook login details to connect to a host of other websites, this essentially gives the hackers the keys to your digital kingdom. From that point there’s really no end to the amount of damage they can do.

In addition to making the discovery itself, the researchers who originally brought the poisoned app to Google’s attention did a deep dive into the malicious code and discovered that the author has apparently automated the repackaging process. This means that it’s a trivial matter to turn almost any legitimate app into a carrier of this trojan.

Given that fact, it’s worth asking the question, “How many other poisoned apps might there be on the Play Store right now?”

It’s a fair question with no easy answer.  Your best bet is to practice extreme caution when downloading any app, only get them from the Google Play store and do as much due diligence as possible before committing to an installation.

More Scammers Are Using Social Media To Target Victims

An increasing number of scammers are using social media to target victims and relying on social engineering tricks to convince people to part with their personal information or money.  The problem has grown serious enough that the FTC (Federal Trade Commission) has issued a formal warning to consumers.

According to a recently released FTC report:

“More than 95,000 people reported about $770 million in losses to fraud initiated on social media platforms in 2021. 

Those losses account for about 25 percent of all reported losses to fraud in 2021 and represent a stunning eighteen-fold increase over 2017 reported losses. Reports are up for every age group, but people 18 to 39 were more than twice as likely as older adults to report losing money to these scams in 2021.

More than half of people who reported losses to investment scams in 2021 said the scam started on social media. Reports to the FTC show scammers use social media platforms to promote bogus investment opportunities and even to connect with people directly as supposed friends to encourage them to invest. 

People send money, often cryptocurrency, on promises of huge returns, but end up empty-handed.”

Overall cryptocurrency scams are regarded as the number one threat for investors in 2022, according to a new report from the North American Securities Administrators Association (NASAA). However, the FTC is cautioning all users to exercise caution and develop better habits when scrolling through their favorite social media platform.

They recommend setting limits on who can see your posts, taking advantage of increasingly robust privacy controls, opting out of targeted advertising, and doing more due diligence on any company you plan on doing business with before buying anything from them.

It’s good advice in general but it is especially important now given how prevalent social media-based attacks are becoming.

1 2 3 6