Hackers Employing FB Infrastructure to Steal Your Account Passwords

Cybercriminals in password theft are constantly developing new ways to deliver phishing emails.

They’ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts.

EHA

We explore how the scheme works, what to look for, and what measures to take to protect business accounts on social networks. 

Anatomy of the Phishing Attack on Facebook Business Accounts

The phishing attack begins with a message from Facebook to the email address linked to the victim’s business account.

The email contains a menacing icon with an exclamation mark and a threatening text: “24 Hours Left To Request Review. See Why.”

An email with a fake warning about account problems, sent by Facebook itself
An email with a fake warning about account problems, sent by Facebook itself

According to the report from Kaspersky, the email warns that the Facebook business account could be blocked.

Despite the odd combination of words, a Facebook manager may, in haste or panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually opening Facebook in a browser to check for notifications.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Phishing Notification on Facebook

Upon logging into Facebook, the victim finds a notification with the exact threatening words: “24 Hours Left To Request Review. See Why.”

The notification alleges that the account and page are to be blocked due to non-compliance with the terms of service and prompts the victim to follow a link to dispute the decision.

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service
Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service

Following the link opens a website bearing the Meta logo, not Facebook, with a similar message but a reduced time frame of 12 hours to resolve the issue.

This tactic is used across other Meta platforms, including Instagram.

Phishing Form for Personal Data

The phishing page initially asks for relatively innocent data: page name, first and last names, phone number, and date of birth.

The next screen requests the email address or phone number linked to the Facebook account and the password, which is the data the attackers are after.

The second screen asks the victim to enter certain personal data
The second screen asks the victim to enter certain personal data

Threat actors use hijacked Facebook accounts to send phishing notifications.

They changed the account name to “24 Hours Left To Request Review. See Why” and the profile picture to an orange icon with an exclamation mark.

The message about the account block is posted from the hijacked account, mentioning the victim’s page after several empty lines.

Attackers change the name and profile picture of the hijacked Facebook account
Attackers change the name and profile picture of the hijacked Facebook account

Attackers post such messages in bulk, mentioning a target Facebook business account.

As a result, Facebook sends notifications to all mentioned accounts, both within the social network and to the linked email addresses.

Because the delivery is via Facebook’s infrastructure, these notifications are guaranteed to reach their intended recipients.

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization
Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization

How to Protect Business Social Media Accounts from Hijacking

Phishing isn’t the only threat to business accounts. Malware, known as password stealers and browser extensions, can also be used for hijacking.

Here are some recommendations for protecting your business’s social media accounts:

  1. Use Two-Factor Authentication: Always enable two-factor authentication wherever possible.
  2. Monitor Suspicious Login Attempts: Pay close attention to notifications about suspicious login attempts.
  3. Use Strong and Unique Passwords: Ensure all passwords are strong and unique. Generate and store them using a password manager.
  4. Verify Page Addresses: Carefully check the addresses of pages asking for account credentials. If you suspect a site is fake, do not enter your password.
  5. Equip Work Devices with Protection: Install reliable protection on all work devices to warn of danger ahead of time and block malware and malicious browser extensions.

By following these steps, businesses can better safeguard their social media accounts from phishing attacks and other cyber threats.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.