We’ve seen multiple hijacked profiles on Facebook recently claiming to be account recovery services. These bogus account recovery services aren't here to help. They're actually just trying to scare users into falling for phishing attempts.
The people behind these scams target Facebook pages belonging to musicians, products, and businesses of all kinds. In what may be a peculiar coincidence, quite a few of the accounts we looked at belonged to spa/beauty treatment small businesses.
Once the page has been taken over, the hijacker changes the name, profile picture, and more to look like it's a support page.
Here’s a typical list of some of these compromised accounts:
As you can see, there's no real rhyme or reason to the hijacks. Just a big list of random pages ready to get up to mischief.
With great power comes great transparency
The dates of the pages being altered can be seen via Facebook’s “Page transparency” popup. The majority of those we've observed appear to have been hijacked in the last month or so. If you're not familiar with this popup, it's all about providing a fuller pictureof what a page is all about.
When was it created? How many times has the name changed? Has it merged with another page? Which country does it operate out of? This is what the transparency box looks like:
How do scammers go phishing?
Businesses on Facebook have a dedicated page for their organisation, containing information, updates, and posts about the latest happenings. These pages are operated by one or more Admins, using their personal accounts. Should any of those users suffer an account compromise, the business page may become vulnerable as a result. The compromiser is able to set about changing the business page to suit their needs.
Let's assume an account responsible for a page has just been compromised. The people behind this have made significant alterations to the page description and layout. Instead of a portal advertising the latest gardening tools or hair fashion, it's now claiming to help you recover lost Facebook pages.
Potential victims are linked to a notification on the compromised account’s page via messaging. These pages are also easy to stumble upon while searching for content in Facebook itself - this is how a relative first brought it to my attention. A rather dire warning lies in wait for anyone viewing it:
Your account will be deactivated. This is because someone has reported you with non-compliance with the terms of service. If you are the original owner of this account, re-verify your account to avoid blocking. Click here [URL removed]
If you do not confirm within 12 hours, our system will automatically block your account and you will not be able to use it.
Security Support Specialist
Well, that’s alarming. Thanks, Bruce, if it isyour real name (it is not). Here''s another example of a compromised page:
Note the attempt at some form of keyword/search spam at the bottom, in an effort to be as visible to users as possible.
Landing on the phish
No matter which compromised warning page you land on, they all want you to visit a phishing page. These differ from account to account, but the landing pages are all pretty much the same. Here’s one example:
Note that the page here isn’t even HTTPs.
We can’t say for sure what they’re doing with the stolen accounts, but once they have them, spam and malicious messaging would be the best bet. They'll likely be used to compromise more accounts down the line. If any stolen accounts have access to business pages, no doubt they'll create more fake recovery pages too. Whatever they're up to, it won't be anything good.
While drafting this blog, we became aware of research already published by Abnormal Security. The research covers similar tactics: hijacking business pages to phish. The fraudulent activity covered there includes fake emails, and a longer time limit (48 hours to respond, instead of just 12), and its well worth reading.
Keeping your Facebook account safe
- Enable two-factor authentication on your account.
- Consider using a password manager. It will help you use a different and difficult password for every online account you have. Better still, if the password manager has the ability to match the page you're on with the one you're trying to log into, it won't work if the site is a phish.
- Set up login alertsso you get notified if anyone tries to login to your account from a new device.
- Don't believe random warnings of account loss. You can always reach out to contact Facebook support directly if you're unsure.
- If you need to report that your own account has been compromised, you can send Facebook a message directly about your problem.Facebook also provides a variety of information related to specific situations here.
Pressuring people into handing over logins "or else" is a pressure tactic that's been around forever. Making them "confirm" in 12 hours or less is one of the tighter time limits we've seen. Don't panic, contact support, and go about your day. Those dire warnings of account loss and removal are almost certainly going to be a lot of phishy nonsense.