{"id":24660,"date":"2024-06-11T02:30:10","date_gmt":"2024-06-11T10:30:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/06\/11\/news-18390\/"},"modified":"2024-06-11T02:30:10","modified_gmt":"2024-06-11T10:30:10","slug":"news-18390","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/06\/11\/news-18390\/","title":{"rendered":"Notifications from FB and theft of business account passwords"},"content":{"rendered":"

Credit to Author: Andrey Kovtun| Date: Tue, 11 Jun 2024 10:29:47 +0000<\/strong><\/p>\n

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now they’ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what measures to take to protect business accounts on social networks.<\/p>\n

Anatomy of the phishing attack on Facebook business accounts<\/h2>\n

It all starts with a message sent by the social network itself to the email address linked to the victim’s Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: “24 Hours Left To Request Review. See Why.”<\/p>\n

\"Email<\/a><\/p>\n

Email with a fake warning about account problems, sent by Facebook itself<\/p>\n<\/div>\n

Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications.<\/p>\n

Either way, they’ll end up on Facebook. After all, the email is real, so the buttons really do point to the social network’s site. A notification is waiting there \u2014 with the now familiar orange icon and same threatening words: “24 Hours Left To Request Review. See Why.”<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service<\/p>\n<\/div>\n

The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account.<\/p>\n

If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms \u2014 we found at least one “location” on Instagram with the same name: “24 Hours Left To Request Review. See Why.”<\/p>\n

\"Phishing<\/a><\/p>\n

On a phishing page outside Facebook, the victim is prompted to appeal the block<\/p>\n<\/div>\n

After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth.<\/p>\n

\"Phishing<\/a><\/p>\n

] The second screen asks the victim to enter certain personal data<\/p>\n<\/div>\n

It’s the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, it’s this data that the attackers are after.<\/p>\n

\"Phishing<\/a><\/p>\n

The attackers don’t waste any time in requesting your Facebook account credentials<\/p>\n<\/div>\n

How the phishing scheme exploits real Facebook infrastructure<\/h2>\n

Now let’s see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: “24 Hours Left To Request Review. See Why.” They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification.<\/p>\n

\"Hijacked<\/a><\/p>\n

Attackers change the name and profile picture of the hijacked Facebook account<\/p>\n<\/div>\n

That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victim’s page appears after a few dozen empty lines. By default it’s hidden, but on clicking the “See more” link in the phishing post, the mention becomes visible.<\/p>\n

\"Cybercriminal<\/a><\/p>\n

The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post<\/p>\n<\/div>\n

Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts.<\/p>\n

\"Bulk<\/a><\/p>\n

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization<\/p>\n<\/div>\n

As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients.<\/p>\n

How to protect business social media accounts from hijacking<\/h2>\n

We should note that phishing isn’t the only threat to business accounts. There exists an entire class of malware specially created for password theft<\/a>; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions \u2014 see our recent post about their use in hijacking Facebook business accounts<\/a>.<\/p>\n

Here’s what we recommend for protecting the social media accounts of your business:<\/p>\n