2 min read

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Graham CLULEY

January 31, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Facebook users are being warned of a phishing campaign that tries to break into accounts, disguised as a Facebook Messenger chat from a friend.

Finland's National Cyber Security Centre (NCSC-FI) has raised the alarm about an active campaign seen in the country, but presumably equally capable of working elsewhere in the world, where Facebook users are duped into handing over credentials that would allow a complete stranger to break into their account.

The attack works like this:

  • The intended target receives a message from a friend via Facebook Messenger.  The friend asks for the target's phone number. Unbeknownst to the targeted user, it is not their real friend who are communicating with them via Messenger, but someone who has hijacked their friend's account.
  • The "friend" tells the target that they need their phone number to enter them into a lottery contest or prize draw, and that a verification code will be sent to the phone number's owner via SMS.
  • The "friend" asks for the code.
  • The phone number and authentication code is enough for the so-called "friend" to log into the targeted user's account, and change the password and associated email address.
  • Now able to pose convincingly as the targeted user, the "friend" attempts to scam friends of the targeted user - and so it continues...

In some cases, according to NCSC-FI, the scam has extended to request credit card or banking information with the pretence that it will help transfer a prize payment into the victim's account.

In a screenshot shared by NCSC-FI, messages are shown coming from an attacker which ask for a mobile number to enter a competition, and to expect a verification code to be sent via SMS.  A minute later, the attacker says that an 8,100 Euros prize has been won by the pair, and that the code is required to receive the funds.

So what's the advice?  I'm afraid you may not like it: you shouldn't trust Facebook messages from anyone, including people you know.  Because whenever you receive a message, you cannot be sure that it really was from the person who claims to have sent it - all you might know (and this isn't even always the case) is that it was their account that sent the message.

So, if someone says something to you that is out of character, or asks you to do something or for personal information that they wouldn't normally request, then treat the communication with suspicion.  Maybe make contact with the person you believe is contacting you via a different method to seek reassurance that it is who you think it is who is contacting you.

And if someone asks you to forward a security verification code you should always refuse.

Although these particular attacks have been reported as occurring in Finland, there is no technical reason why they couldn't be taking place in other parts of the world, and using different languages.

On occasion, users have fallen into a false sense of security when being scammed in their own language because they are so used to phishers and identity thieves concentrating on major languages such as English.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Users Report Seeing Other People's Photos When Using iCloud for Windows Apple Users Report Seeing Other People's Photos When Using iCloud for Windows
Silviu STAHIE

November 25, 2022

1 min read
Hive ransomware has extorted $100 million in 18 months, FBI warns Hive ransomware has extorted $100 million in 18 months, FBI warns
Graham CLULEY

November 23, 2022

2 min read
Some DraftKings Accounts Compromised in Credential Stuffing Attack; Company Promises to Return Lost Funds Some DraftKings Accounts Compromised in Credential Stuffing Attack; Company Promises to Return Lost Funds
Silviu STAHIE

November 22, 2022

1 min read