Fake or hijacked Facebook accounts used in scams to steal money are on the raise

Sweden recently experienced a large banking scam where over 1.2 million Swedish kronor (about $177,800) were stolen by infecting the computers of multiple victims. The attackers used a Trojan which was sent to the victims and, once installed, allowed the attackers to gain access to the infected computers. Luckily these guys were caught and sentenced to time in jail, but it took a while to investigate since over 10 people were involved in this scam.

It’s possible that these attacks are no longer as successful as the bad guys would like, because we are now seeing them use other methods to find and exploit new victims. For quite some time now we have seen how hijacked Facebook accounts have been used to lure the friends of whose account has been hijacked to do everything from click on malicious links to transfer money to the cybercriminals’ bank accounts.

Please note that this is not a new scam – it has been out there for quite some time. But what we are now seeing is the use of stolen/hijacked accounts, or fake accounts, becoming very common on Facebook. So common, in fact, that there are companies creating fake accounts and then selling access to them to other cybercriminals. As you might expect, the more friends these accounts have, the more expensive they are, because they can be used to reach more people.

The problem here is not just technical – it’s primarily a social problem. We use Facebook to expand our circle of friends. We can easily have several hundred friends on Facebook, while we in real life we may only have 50. This could be a problem because some of the security and privacy settings in Facebook only apply in your interactions with people who you are not friends with. Your friends, on the other hand, have full access to all the information about you.

We are now warning users of a new scam which is being exploited. The bad guys are using stolen or hijacked accounts to send personal messages to their victims. They pretend to have a problem. For example, they claim to be stuck at an airport and say they need a few hundred kronor for a new ticket home. Or they pretend that their online banking token is broken and they ask to borrow the victim’s token. This sounds pretty trivial, but we have noticed that many people are unaware that a banking token is private and cannot be used for another account.

The idea behind this fraud is pretty simple. It rests on the fact that a large amount of personal information is posted on Facebook. Cybercriminals can easily build up a lot of information about a person. And if they are using a stolen account they can also easily look at the nature of the relationships between one victim and another.

We want all Facebook users to be aware of this, and to think twice before disclosing any information regarding your banking details, or lending out money to people. Here are some easy pointers:

  • Make sure that the person you talk to is really the person you think they are. Maybe call them on their cellphone, or contact relatives to verify if they are actually abroad.
  • Never give out any banking details on the Internet.
  • Don’t add or accept friend requests from people you don’t know.
  • Make sure you have protection against malicious code installed on your computer.
  • Remember to change passwords frequently and use complex, hard-to-guess passwords – use a mixture of letters, numbers and symbols. Also, nd don’t use the same password on Facebook as on other sites: if the password is compromised on one site, it may be used to access your Facebook account.

Fake or hijacked Facebook accounts used in scams to steal money are on the raise

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox