The scam begins with a phishing email warning victims that their accounts risk being deleted. The email contains an “Appeal Now” button, which redirects victims to Messenger, where they take up their complaints with a chatbot. The entire campaign is very elaborate, and the “appeal” process is made to seem legitimate. However, there are certain obvious errors and indicators, especially in the phishing email, that ought to raise suspicion.
Attackers Impersonate Facebook Support Team
In a blog post, the researchers explained that Facebook Messenger is an attractive target for criminals due to its large user base. In this case, cybercriminals are using a Messenger chatbot to steal account credentials and other information from victims. The attack starts with a phishing email. This email is disguised as an alert from Facebook, informing a potential target that their account is scheduled for deletion for violating the company’s community standards. The user is told they can appeal the decision by clicking on a button in the email. The button redirects the user to a Messenger conversation with a chatbot. The target must log in to Messenger to access this webpage. Once they do so, they receive an automated message from the chatbot, which also contains an “appeal now” button at the end. The chatbot belongs to a profile that is impersonating Facebook’s support team. Their page and chat icon contains the Facebook logo to seem trustworthy. However, a closer inspection of the page reveals it has zero followers and posts.
Hackers Include Details to Add Legitimacy
When a target clicks on the “appeal now” button on Messenger, a webpage opens up in a new tab, asking for details such as users’ email address or mobile number, first and last name, and page name. Once the user submits these details, another window pops up, asking them to enter their account password. According to Trustwave researchers, all the information that the targets share goes to the attacker’s database. After submitting their password, the user is redirected to what seems like a two-factor authentication (2FA) page, along with a countdown timer. Users are required to enter a six-digit one-time password (OTP). The target can input any six-digit number to “authenticate” themselves, as the page does not actually carry out 2FA. The attackers included this layer to add a semblance of legitimacy to their attack. After entering the OTP, the victim is directed to the final landing page, which is an article on Facebook’s intellectual property and copyright guidelines.
Tips to Spot Phishing Attacks
While the attackers have taken great efforts to make the campaign appear legitimate, there are some fairly noticeable warning signs throughout the process. These signs are common in most phishing attacks, such as spelling errors and fake domain names. A closer inspection of the URLs and the Messenger chat also reveal many discrepancies. This is the second high-profile phishing attack on Messenger uncovered this month. Earlier this month, cybersecurity researchers at PIXM published their findings on a phishing campaign that managed to bypass Facebook’s defense mechanisms. Cybercriminals are increasingly using chatbots, like Discord’s Mee6 bot, to carry out their malicious schemes. If you found this story interesting, we recommend checking out our detailed article on phishing. It is a comprehensive guide that contains everything you need to know about phishing, as well as helpful tips on how to spot phishing attacks.
