A sneaky phishing campaign aims to steal passwords from Facebook users – including administrators of company Facebook Pages.
Detailed by cybersecurity researchers at Abnormal Security, the attack begins with a phishing email claiming to be from ‘The Facebook Team’, which warns that the user’s account “might be disabled and your page might be removed” due to repeatedly posting content that has been reported as infringing the rights of another user. The victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post there’s another link that directs users to a separate website in order to make their “appeal”.
As part of the fake appeals process, the user is asked to provide sensitive information, including their name and email address. Before submitting the form, the user is also asked to enter their Facebook password.
SEE: Multi-factor authentication: How to enable 2FA to step up your security
All this information is sent to the attacker, who can use it to log in to the victim’s Facebook page, collect information from their account and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too.
One of the reasons phishing attacks like this are successful is because they create a sense of urgency.
“This is often enough to convince recipients to provide their personal information, particularly if they are using their Facebook account for business purposes,” said Rachelle Chouinard, threat intelligence analyst at Abnormal Security.
What made this particular phishing campaign interesting to the security researchers was that it connected to a post on Facebook and that there was a link to a credential-phishing site within the post, which was disguised as a form to request an appeal.
However, while the phishing email and phishing domain might have looked legitimate at first glance, there were clues that would have suggested that something might be off.
For example, while the email contained Facebook branding and claimed to be from Facebook itself, the sender email address was not related to Facebook at all. In addition to this, attempting to reply to the sender email directs messages to an unrelated Gmail address.
The language of the email is designed to create fear in the victim, scaring them into losing their account. It’s unlikely an actual online service will send an email like this, but if you receive a message and do get worried, don’t click the link in the email. Instead, log in to the website directly. If something is wrong with your account, you’ll be able to find out there – without handing your password to cyber criminals.
SEE: These are the problems that cause headaches for bug bounty hunters
ZDNet contacted Facebook and the company pointed to advice to users on how to identify and report phishing attacks.
Facebook’s Help Centre says anyone who thinks that their account has been phished should report it, change their password, and – in the security settings – log out of any devices that they don’t recognise.
It’s also recommended that users turn on multi-factor authentication to increase account security against unauthorised logins.
ZDNet also contacted Google – the company said the Gmail account used as part of the campaign has now been removed.