{"id":18878,"date":"2022-04-28T07:10:05","date_gmt":"2022-04-28T15:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/28\/news-12611\/"},"modified":"2022-04-28T07:10:05","modified_gmt":"2022-04-28T15:10:05","slug":"news-12611","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/28\/news-12611\/","title":{"rendered":"Facebook phishers threaten users with Page Recovery Help Support"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Thu, 28 Apr 2022 14:11:47 +0000<\/strong><\/p>\n

We\u2019ve seen multiple hijacked profiles on Facebook recently claiming to be account recovery services. These bogus account recovery services aren’t here to help. They’re actually just trying to scare users into falling for phishing attempts.<\/p>\n

The people behind these scams target Facebook pages belonging to musicians, products, and businesses of all kinds. In what may be a peculiar coincidence, quite a few of the accounts we looked at belonged to spa\/beauty treatment small businesses.<\/p>\n

Once the page has been taken over, the hijacker changes the name, profile picture, and more to look like it’s a support page.<\/p>\n

Here\u2019s a typical list of some of these compromised accounts:<\/p>\n

\n
\"\"
That’s a lot of support<\/em><\/figcaption><\/figure>\n<\/div>\n

As you can see, there’s no real rhyme or reason to the hijacks. Just a big list of random pages ready to get up to mischief.<\/p>\n

With great power comes great transparency<\/h2>\n

The dates of the pages being altered can be seen via Facebook\u2019s \u201cPage transparency\u201d popup. The majority of those we’ve observed appear to have been hijacked in the last month or so. If you’re not familiar with this popup, it’s all about providing a fuller picture<\/a> of what a page is all about.<\/p>\n

When was it created? How many times has the name changed? Has it merged with another page? Which country does it operate out of? This is what the transparency box looks like:<\/p>\n

\n
\"\"
Transparency report<\/em><\/figcaption><\/figure>\n<\/div>\n

How do scammers go phishing?<\/h2>\n

Businesses on Facebook have a dedicated page for their organisation, containing information, updates, and posts about the latest happenings. These pages are operated by one or more Admins, using their personal accounts<\/a>. Should any of those users suffer an account compromise, the business page may become vulnerable as a result. The compromiser is able to set about changing the business page to suit their needs.<\/p>\n

Let’s assume an account responsible for a page has just been compromised. The people behind this have made significant alterations to the page description and layout. Instead of a portal advertising the latest gardening tools or hair fashion, it’s now claiming to help you recover lost Facebook pages.<\/p>\n

Potential victims are linked to a notification on the compromised account\u2019s page via messaging. These pages are also easy to stumble upon while searching for content in Facebook itself – this is how a relative first brought it to my attention. A rather dire warning lies in wait for anyone viewing it:<\/p>\n

\n
\"\"
It’s account blocking time<\/em><\/figcaption><\/figure>\n<\/div>\n
\n

Your account will be deactivated. This is because someone has reported you with non-compliance with the terms of service. If you are the original owner of this account, re-verify your account to avoid blocking. Click here [URL removed]<\/em><\/p>\n

If you do not confirm within 12 hours, our system will automatically block your account and you will not be able to use it.<\/em><\/p>\n

Thanks,<\/em><\/p>\n

Bruce,<\/em><\/p>\n

Security Support Specialist<\/em><\/p>\n<\/blockquote>\n

Well, that\u2019s alarming. Thanks, Bruce, if it is<\/em> your real name (it is not). Here”s another example of a compromised page:<\/p>\n

\n
\"\"
Searching for hits<\/em><\/figcaption><\/figure>\n<\/div>\n

Note the attempt at some form of keyword\/search spam at the bottom, in an effort to be as visible to users as possible.<\/p>\n

Landing on the phish<\/h2>\n

No matter which compromised warning page you land on, they all want you to visit a phishing page. These differ from account to account, but the landing pages are all pretty much the same. Here\u2019s one example:<\/p>\n

\n
\"\"
Phishy behaviour<\/em><\/figcaption><\/figure>\n<\/div>\n

Note that the page here isn\u2019t even HTTPs.<\/p>\n

We can\u2019t say for sure what they\u2019re doing with the stolen accounts, but once they have them, spam and malicious messaging would be the best bet. They’ll likely be used to compromise more accounts down the line. If any stolen accounts have access to business pages, no doubt they’ll create more fake recovery pages too. Whatever they’re up to, it won’t be anything good.<\/p>\n

While drafting this blog, we became aware of research already published by Abnormal Security<\/a>. The research covers similar tactics: hijacking business pages to phish. The fraudulent activity covered there includes fake emails, and a longer time limit (48 hours to respond, instead of just 12), and its well worth reading.<\/p>\n

Keeping your Facebook account safe<\/h2>\n