While many phishing scams target Microsoft 365 credentials due to the usefulness of the accounts and the data they hold, social media credentials are also highly prized. If a phisher is able to steal Facebook credentials, they can gain access to valuable personal information and the accounts can be used for conducting further scams. Accounts can be put to use distributing malicious posts, conducting phishing attacks on the user’s contacts, and distributing malware. Further, since password reuse is incredibly common, a scammer could try to use the compromised credentials to try to access other platforms using the same username and password combination. The password for a social media account can be changed and the account holder issued with a ransom demand for the return of the account, which for individuals heavily reliant on social media for income, could see the ransom paid.

One such campaign is currently being conducted using thousands of fake Facebook profiles with a view to stealing the Facebook credentials of legitimate account holders. The campaign has been active for at least two months and is ongoing. Researchers at Group-IB have been tracking the campaign and have so far identified more than 3,200 fake profiles that are being used for the campaign, which targets Facebook users in more than 20 languages.

The fake Facebook accounts impersonate Meta and use Facebook’s parent company’s logos in their profiles, posts, and phishing pages that users are directed to. More than 220 phishing sites have been identified that are associated with this campaign and more are being added. When Meta/Facebook detect these fake profiles and sites they are rapidly taken down, but the huge numbers of accounts and phishing sites used in this campaign ensure the scammers can keep the campaign running at scale.

Victims are tricked into clicking the link in a post or direct message that directs them to a Meta-branded webpage where they are prompted to log in using their Facebook credentials. If the credentials are disclosed, they are used to access the user’s account. Scammers also access accounts by stealing cookies in session hijacking attacks.

The primary goal is to hijack the Facebook accounts of prominent individuals such as celebrities, businesses, and sports teams, as these accounts have the greatest value and can be used to reach large numbers of individuals. One tactic observed by the researchers involves renaming a compromised account to make it appear that it is an official Meta account, and using words like account, recovery, retrieval, and other similar terms. The account is then used for posts that will appear in the news feeds of platform users that follow the compromised account. The bigger the brand name or popularity of the celebrity, the greater the reach. The posts are often signed as Meta Business Service or a similar name to make it appear that the account is owned by Meta.

Facebook users can reduce the risk of falling victim to these attacks by ensuring that 2-factor authentication is enabled for accounts. If they fall for a phishing scam, this provides an extra level of protection to prevent their credentials from being used to access their accounts. This is especially important for businesses to protect their corporate accounts, as they are the accounts that are being sought by the scammers.

Social media networks can be a huge productivity drain for businesses and can expose businesses to risks, such as malware infections and phishing. Despite the risk of password reuse, many individuals use the same passwords for their work and personal accounts, so if they fall for a scam their password could also provide access to their work accounts. Many businesses place restrictions on social media use by employees by using a web filter to block access to the sites on work computers. With WebTitan, this can be done with a click of a mouse. WebTitan also allows social media use to be controlled, by placing time-based restrictions on the sites, such as blocking access during working hours or busy times. WebTitan also allows partial blocking, such as allowing access to Facebook but blocking access to Messenger.

If you would like to restrict employee access to the Internet with precision, are interested in finding out more about improving your defenses against Internet threats, or would like to improve the security awareness of your workforce through training, give the TitanHQ team a call.