{"id":23870,"date":"2024-02-07T04:10:39","date_gmt":"2024-02-07T12:10:39","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/02\/07\/news-17600\/"},"modified":"2024-02-07T04:10:39","modified_gmt":"2024-02-07T12:10:39","slug":"news-17600","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/02\/07\/news-17600\/","title":{"rendered":"Facebook fatal accident scam still rages on"},"content":{"rendered":"\n<p>Recently I <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/01\/ill-miss-him-so-much-facebook-scam-uses-bbc-branding-to-lure-victims\">wrote<\/a> about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.<\/p>\n<p>I have seen two different types in German. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-first-facebook-scam\">First Facebook scam<\/h2>\n<figure data-wp-context=\"{ &quot;core&quot;: \t\t\t\t{ &quot;image&quot;: \t\t\t\t\t{   &quot;imageLoaded&quot;: false, \t\t\t\t\t\t&quot;initialized&quot;: false, \t\t\t\t\t\t&quot;lightboxEnabled&quot;: false, \t\t\t\t\t\t&quot;hideAnimationEnabled&quot;: false, \t\t\t\t\t\t&quot;preloadInitialized&quot;: false, \t\t\t\t\t\t&quot;lightboxAnimation&quot;: &quot;zoom&quot;, \t\t\t\t\t\t&quot;imageUploadedSrc&quot;: &quot;https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image1_fatal_accident_fundraiser.png&quot;, \t\t\t\t\t\t&quot;imageCurrentSrc&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;targetWidth&quot;: &quot;758&quot;, \t\t\t\t\t\t&quot;targetHeight&quot;: &quot;660&quot;, \t\t\t\t\t\t&quot;scaleAttr&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;dialogLabel&quot;: &quot;Enlarged image&quot; \t\t\t\t\t} \t\t\t\t} \t\t\t}\" data-wp-interactive class=\"wp-block-image aligncenter size-full wp-lightbox-container\"><img decoding=\"async\" loading=\"lazy\" width=\"758\" height=\"660\" data-wp-effect=\"effects.core.image.setButtonStyles\" data-wp-init=\"effects.core.image.initOriginImage\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image1_fatal_accident_fundraiser.png\" alt=\"T\u00f6dlicher Verkehrsunfall - fatal traffic accident\" class=\"wp-image-103767\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-label=\"Enlarge image: T\u00f6dlicher Verkehrsunfall - fatal traffic accident\"> \t\t\t \t\t\t\t \t\t\t \t\t<\/button>        <\/p>\n<div data-wp-body=\"\" class=\"wp-lightbox-overlay zoom\" data-wp-effect=\"effects.core.image.initLightbox\">                 <button type=\"button\" aria-label=\"Close\" class=\"close-button\">                                      <\/button>                 <\/p>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-full responsive-image\"><img decoding=\"async\" src=\"\" alt=\"T\u00f6dlicher Verkehrsunfall - fatal traffic accident\" class=\"wp-image-103767\" \/><\/figure>\n<\/p><\/div>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-full enlarged-image\"><img decoding=\"async\" src=\"\" alt=\"T\u00f6dlicher Verkehrsunfall - fatal traffic accident\" class=\"wp-image-103767\" \/><\/figure>\n<\/p><\/div>\n<div class=\"scrim\" style=\"background-color: #fff\" aria-hidden=\"true\"><\/div>\n<\/p><\/div>\n<\/figure>\n<p class=\"has-text-align-center\"><em>Translation: Deadly accident on highway causes several fatalities<\/em><\/p>\n<p>Notable about this one is that it was posted as a fundraiser and so does not allow comments, which blocks me from posting a warning that this is a scam.<\/p>\n<p>I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.<\/p>\n<p>In the past we&#8217;ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"626\" height=\"210\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/wireshark_googleapis.png\" alt=\"Wireshark analysis courtesy of J\u00e9r\u00f4me Segura\" class=\"wp-image-103768\" \/><\/figure>\n<p>The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it\u2019s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.<\/p>\n<p>An example of a redirect URL shows some of the elements that were fingerprinted.<\/p>\n<p><code>https:\/\/byxzz.altairaquilae[.]top\/?pl=Yyo1IAH5aE2Q4g9YuOImuw&amp;click_id=da5d3q51mm737150e7&amp;sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows<\/code><\/p>\n<p>Malwarebytes has already blocked the windyplentiful.com domain for <a href=\"https:\/\/www.malwarebytes.com\/blog\/detections\/malvertising\">Malvertising<\/a>.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"540\" height=\"353\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/windyplentifulcomblock.png\" alt=\"Malwarebytes Premium blocks the domain windyplentiful.com\" class=\"wp-image-103769\" \/><\/figure>\n<p class=\"has-text-align-center\"><em>Malwarebytes Premium blocks the domain windyplentiful.com<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"h-second-facebook-scam\">Second Facebook scam<\/h2>\n<p>The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn. <\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"757\" height=\"599\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/image2_fatal_accident_not_German.png\" alt=\"Accident leaves several victims inluding a child\" class=\"wp-image-103770\" \/><\/figure>\n<p class=\"has-text-align-center\"><em>Translation: Accident causes several victims including a child<\/em><\/p>\n<p>Not only is the picture clearly not German, the grammar used in the sentence is another sign as it&#8217;s a bad translation.<\/p>\n<p>Unfortunately when I set my <a href=\"https:\/\/www.malwarebytes.com\/vpn\">VPN<\/a> to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"360\" height=\"628\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/VPN_Germany.png\" alt=\"VPN set to D\u00fcsseldorf in Germany\" class=\"wp-image-103771\" \/><\/figure>\n<p>Switching back to the Netherlands I got to \u201cenjoy\u201d sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2019\/01\/browser-push-notifications-feature-asking-abused\">browser push notifications<\/a>.<\/p>\n<figure data-wp-context=\"{ &quot;core&quot;: \t\t\t\t{ &quot;image&quot;: \t\t\t\t\t{   &quot;imageLoaded&quot;: false, \t\t\t\t\t\t&quot;initialized&quot;: false, \t\t\t\t\t\t&quot;lightboxEnabled&quot;: false, \t\t\t\t\t\t&quot;hideAnimationEnabled&quot;: false, \t\t\t\t\t\t&quot;preloadInitialized&quot;: false, \t\t\t\t\t\t&quot;lightboxAnimation&quot;: &quot;zoom&quot;, \t\t\t\t\t\t&quot;imageUploadedSrc&quot;: &quot;https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/web_push_notifications.png&quot;, \t\t\t\t\t\t&quot;imageCurrentSrc&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;targetWidth&quot;: &quot;1600&quot;, \t\t\t\t\t\t&quot;targetHeight&quot;: &quot;1200&quot;, \t\t\t\t\t\t&quot;scaleAttr&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;dialogLabel&quot;: &quot;Enlarged image&quot; \t\t\t\t\t} \t\t\t\t} \t\t\t}\" data-wp-interactive class=\"wp-block-image aligncenter size-large wp-lightbox-container\"><img decoding=\"async\" loading=\"lazy\" width=\"1600\" height=\"1200\" data-wp-effect=\"effects.core.image.setButtonStyles\" data-wp-init=\"effects.core.image.initOriginImage\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/web_push_notifications.png?w=1024\" alt=\"Site asking to allow notifications while tempting vsitors with an adult video\" class=\"wp-image-103772\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-label=\"Enlarge image: Site asking to allow notifications while tempting vsitors with an adult video\"> \t\t\t \t\t\t\t \t\t\t \t\t<\/button>        <\/p>\n<div data-wp-body=\"\" class=\"wp-lightbox-overlay zoom\" data-wp-effect=\"effects.core.image.initLightbox\">                 <button type=\"button\" aria-label=\"Close\" class=\"close-button\">                                      <\/button>                 <\/p>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large responsive-image\"><img decoding=\"async\" src=\"\" alt=\"Site asking to allow notifications while tempting vsitors with an adult video\" class=\"wp-image-103772\" \/><\/figure>\n<\/p><\/div>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large enlarged-image\"><img decoding=\"async\" src=\"\" alt=\"Site asking to allow notifications while tempting vsitors with an adult video\" class=\"wp-image-103772\" \/><\/figure>\n<\/p><\/div>\n<div class=\"scrim\" style=\"background-color: #fff\" aria-hidden=\"true\"><\/div>\n<\/p><\/div>\n<\/figure>\n<p>These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.<\/p>\n<p>Several attempts on both images led to different domains as well. Other blocks we encountered during our research:<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"478\" height=\"305\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/188114960block.png\" alt=\"Malwarebytes Premium blocks 188.114.96.0\" class=\"wp-image-103773\" \/><\/figure>\n<p class=\"has-text-align-center\"><em>Malwarebytes Premium blocks 188.114.96.0<\/em><\/p>\n<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"539\" height=\"333\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/oyglkaltairaquilaetopblock.png\" alt=\"Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top\" class=\"wp-image-103774\" \/><\/figure>\n<p class=\"has-text-align-center\"><em>Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top<\/em><\/p>\n<h2 class=\"wp-block-heading\">How to recover from a Facebook scam<\/h2>\n<p>You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net\/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.<\/p>\n<p>If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.<\/p>\n<ol>\n<li>Check for unknown and unused Facebook apps.\n<ul>\n<li>Click your profile picture.<\/li>\n<li>Select <strong>Settings &amp; Privacy<\/strong>, then click <strong>Settings<\/strong>.<\/li>\n<li>Click <strong>Apps and Websites<\/strong>.Go to the app or game you want to remove, then next to the name of the app or game, click <strong>Remove<\/strong>.<\/li>\n<li>Click <strong>Remove<\/strong> again to confirm.<\/li>\n<\/ul>\n<\/li>\n<li>Enable two-factor authentication (2FA)\n<ul>\n<li>Go to your <strong>Security and Login Settings<\/strong>.<\/li>\n<li>Scroll down to <strong>Use two-factor authentication<\/strong> and click <strong>Edit<\/strong>.<\/li>\n<li>Choose the security method you want to add and follow the on-screen instructions.<\/li>\n<\/ul>\n<\/li>\n<li>Change your password on Facebook if you&#8217;re already logged in:\n<ul>\n<li>Click your profile picture.<\/li>\n<li>Select <strong>Settings &amp; Privacy<\/strong>, then click <strong>Settings<\/strong> (or <strong>Accounts Center<\/strong> if you&#8217;re on your phone).<\/li>\n<li>Click <strong>Security and Login<\/strong> (or <strong>Password and Security<\/strong> if you&#8217;re on your phone).<\/li>\n<li>Click <strong>Edit<\/strong> next to <strong>Change password<\/strong> (or just <strong>Change password<\/strong> if you&#8217;re on your phone).<\/li>\n<li>Enter your current password and new password.<\/li>\n<li>Click <strong>Save Changes<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>If you&#8217;re logged in but have forgotten your password or it has been changed to something you don\u2019t know, follow the steps above to change your password, then click\u00a0<strong>Forgot your password?<\/strong>\u00a0and follow the steps to reset it. Keep in mind that you&#8217;ll need access to the email associated with your account.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on threats &#8211; we help safeguard your entire digital identit<\/strong>y<\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family&#8217;s\u2014personal information by using\u00a0<a href=\"https:\/\/www.malwarebytes.com\/identity-theft-protection\" target=\"_blank\" rel=\"noreferrer noopener\">Malwarebytes Identity Theft Protection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/02\/facebook-fatal-accident-scam-still-rages-on\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[2359,3589,1195,32,26699],"class_list":["post-23870","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-accident","tag-facebook","tag-germany","tag-news","tag-personal"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=23870"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/23870\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=23870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=23870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=23870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}