A phishing campaign sent to the Facebook messaging system of certain pages aims to steal login credentials from the social network. To achieve this, the hackers pretend to be the teams … of Facebook.
« Usually, I don’t get a lot of spam on Facebook. This is the first one I receive in 2020 and especially the first phishing attempt », Is surprised https://twitter.com/ChanPerco/status/1316460442919882762, community manager (CM) of Dentsu France and iProspect. It was in the inbox of his employer’s Facebook page that he received an astonishing warning written in English, translated here by Cyberguerre: “ Hello, we need to let you know that your page has been flagged for unusual and illegal activity, so your page will be deleted permanently. »
Sent by an account called “Page Flagged”, the message is signed by “ Facebook security team “. A second message in a row adds that a Facebook representative will contact him shortly to discuss the situation.
Fortunately, it is specified that a procedure exists to appeal on this report: it is enough to click on a link towards an alleged form of complaint. Spread over two lines, the form address begins with “https://facebook.com” and ends with expected keywords such as “page”, “reported” and “call”.
By chance or not, this strange message arrived the day after the end of an advertising campaign launched by Jonathan two weeks earlier with Facebook Ads, the social network’s advertising tool. The CM was concerned about this chronological correlation, so he clicked on the link to verify the authenticity of the procedure.
It was then that he realized the deception.
Hackers cleverly play with their site URL
With more than 50,000 subscribers, the iProspect page, managed by Jonathan Chan, has enough to attract the interest of hackers. If they could get hold of it, they could use it to spread their phishing to thousands of people. Better, they would take advantage of the reputation of the company to increase the chances that their targets take the scam.
When he clicked on the link, the CM was redirected to a phishing page that Cyberwar was able to consult. It uses the graphic charter of Facebook for Business, the professional side of the social network. Barely a few seconds after opening the page, a message appears telling us that ” to log in To complete the form, and directs us to a copy of the Facebook login page. It uses the layout of the old version of Facebook, but since not all users have the same version, this detail is not obvious.
Before entering our identifiers, we take a closer look at the URL: although it begins with “facebook.com”, it is not linked to the social network. To create this visual effect, the hackers created a “facebook” subdomain of the “com-208746513503510.top” domain name that belongs to them. It is a simple separation to make, which makes it possible, more often than not, to distinguish several dependent services of the same site: for example cyberguerre.numerama.com is a subdomain of numerama.com.
Because of this stratagem, the victims of the hackers read “facebook.com”, stop reading from the URL to the numbers, and do not see the “.top” at the back of the address.
On the hunt for the necessary identifiers to connect to your Facebook page
We still continue to dig into the phishing scheme. In addition to the identifiers, hackers ask to enter the 6-digit code for double authentication, to ensure access to all accounts, even the best protected. If you’ve given your information at this stage of the phishing, hurry up and change your passwords.
Once this false authentication is complete, we are redirected to the page we had interviewed by clicking the first link. It must contain the famous form supposed to prevent the closure of our account.
The message begins with a multiple choice question about Facebook Ads: ” What are the most common problems you encounter on Facebook? “. Two answers, ” disabled ad account “And” trade restrictions Apply to our alleged case. Then the form asks us to enter our full name, email address, date of birth, and URLs for our profile and page. On the other hand, the form does not ask for the password, for two reasons: this request could arouse the suspicions of the victims, and above all, the hackers have already obtained it when we “connected” to their fake connection portal.
Once all the fields are filled in, we validate. At this point, hackers have more than enough information to steal anything we have on the social network. We are then redirected to the real Facebook help pages, in French this time. A pop-up insert is addressed to us: “ Thanks for contacting Facebook. You should receive an email response soon. You may be prompted to respond before we can help you. “. This means that the criminals manage to send the right requests to the Facebook site so that this real (rather) reassuring message appears. But in no case has Facebook validated the form we have just completed.
Jonathan received this phishing on Wednesday, October 13. The next day at 10 a.m., when we tried to consult them, the phishing link and the sending account were disabled. The site was still online, but clearly identified as phishing on the various browsers (Chrome, Firefox, Safari) that we tried. And by the start of the afternoon, it had gone offline.
Despite this great reactivity on the part of Facebook and the various actors involved to neutralize it, phishing could again surface at a new address, from a new Facebook account. So pay attention to any message that is a little odd in itself.
Share on social media
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!
These were the details of the news Hackers mimic Facebook on Facebook to grab Facebook pages for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at en24news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.