2 min read

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Graham CLULEY

January 31, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Facebook users are being warned of a phishing campaign that tries to break into accounts, disguised as a Facebook Messenger chat from a friend.

Finland's National Cyber Security Centre (NCSC-FI) has raised the alarm about an active campaign seen in the country, but presumably equally capable of working elsewhere in the world, where Facebook users are duped into handing over credentials that would allow a complete stranger to break into their account.

The attack works like this:

  • The intended target receives a message from a friend via Facebook Messenger.  The friend asks for the target's phone number. Unbeknownst to the targeted user, it is not their real friend who are communicating with them via Messenger, but someone who has hijacked their friend's account.
  • The "friend" tells the target that they need their phone number to enter them into a lottery contest or prize draw, and that a verification code will be sent to the phone number's owner via SMS.
  • The "friend" asks for the code.
  • The phone number and authentication code is enough for the so-called "friend" to log into the targeted user's account, and change the password and associated email address.
  • Now able to pose convincingly as the targeted user, the "friend" attempts to scam friends of the targeted user - and so it continues...

In some cases, according to NCSC-FI, the scam has extended to request credit card or banking information with the pretence that it will help transfer a prize payment into the victim's account.

In a screenshot shared by NCSC-FI, messages are shown coming from an attacker which ask for a mobile number to enter a competition, and to expect a verification code to be sent via SMS.  A minute later, the attacker says that an 8,100 Euros prize has been won by the pair, and that the code is required to receive the funds.

So what's the advice?  I'm afraid you may not like it: you shouldn't trust Facebook messages from anyone, including people you know.  Because whenever you receive a message, you cannot be sure that it really was from the person who claims to have sent it - all you might know (and this isn't even always the case) is that it was their account that sent the message.

So, if someone says something to you that is out of character, or asks you to do something or for personal information that they wouldn't normally request, then treat the communication with suspicion.  Maybe make contact with the person you believe is contacting you via a different method to seek reassurance that it is who you think it is who is contacting you.

And if someone asks you to forward a security verification code you should always refuse.

Although these particular attacks have been reported as occurring in Finland, there is no technical reason why they couldn't be taking place in other parts of the world, and using different languages.

On occasion, users have fallen into a false sense of security when being scammed in their own language because they are so used to phishers and identity thieves concentrating on major languages such as English.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read
Slope Wallets Blamed for $6 Million Solana Hack Slope Wallets Blamed for $6 Million Solana Hack
Silviu STAHIE

August 04, 2022

1 min read