Researchers at Group-IB have found an extensive campaign in which criminal operators have created a large number of fake Facebook profiles that repost messages in which the scammers misrepresent themselves as tech support personnel from Meta (Facebook’s corporate parent). Researchers discovered some 3200 bogus profiles in twenty-three languages. By far most of the profiles were created in English, more than 90%, followed by Mongolian (2.5%), Arabic (2.3%), Italian (0.8%), and Khmer (0.6%).
The criminal campaign is a complex one. “The goal of the cybercriminals behind this campaign is to compromise and take over the Facebook accounts of public figures, celebrities, businesses, sports teams, as well as individual profiles. To achieve this goal, the threat actors created more than 220 phishing websites and attached links to these sites in the posts they published on Facebook, with these posts tagging up to 50 other prominent accounts to increase reach. On the majority of these websites, the cybercriminals employed traditional phishing techniques, whereby a victim is tricked into voluntarily entering their login credential and password. In some cases, they also used more sophisticated techniques to acquire users’ cookie data, setting up a session hijacking attack.”
The campaign appears to have been quietly active since 2020. The phish hook inside the tech support lure was a malicious website. “The posts published by the threat actors contain a link to a phishing website that is used to trick the user into entering their Facebook login credential and password or, in some cases, session cookies. Group-IB researchers discovered more than 220 active phishing websites still live at the time of writing.” When a victim clicks over to one of those websites, they’re presented with a page that threatens to disable the user’s account for copyright violations. Should the marks wish to appeal the coming suspension, they’re directed to one of two fraudulent pages. The first variety invites them to enter their username and password, which obviously leads to credential theft. The second sort of page “instructs the victims to share their c_user and xs cookie data with the scammers in order to appeal against the fake copyright violation and retrieve their account,” which can render them vulnerable to session hijacking.
There are some steps users can take, notably implementing two-factor authentication, that can reduce this risk, but as always an informed and wary user is the strongest line of defense. New school security awareness training can help educate your people to threats of this kind.
