“Look what I found here” phish targets Facebook users

Facebook-themed messages are a frequent source of bogus links from both spam and compromised accounts. Whether you receive the messages via SMS, the Messenger app, or just inside regular web chat, it pays to be careful. A wide variety of attacks use bogus messages as their launchpad, and the risk of account compromise is ever-present. Phishing is not the only threat. Scammers will also happily send “check this out” messages and direct you to malware. This is why it’s crucial to be careful around links…any link. You just never know.

One such phishing message is currently doing the rounds in Dutch, and it plugs into a sense of FOMOto encourage you to click the link. It was first observedback in March, and appears to be making a comeback.

How does this phish attack work?

This is the message currently in circulation, being distributed through a compromised account:

Kijk eens wat ik hier heb gevonden?? [url]

The message says “Look what I found here”.

This is a very common tactic, not giving anything away and almost baiting you into clicking. There’s a few others along these lines being sent to people in Facebook Messenger at the moment. One style of message is one that asks something along the lines of “Have you seen who died/Guess who died”. The answer, of course, is nobody has died. However, the aim of the game is to have you panic and hit the link without thinking.

It’s a similar technique in play here, although nowhere remotely as panic-inducing.

All the same, the link redirects to a fake Facebook page on what looks like a compromised photography website.

The site says “Facebook needs to verify that it’s you, log in to continue” and asks for mobile number/email and password.

Hitting the login button submits the data and redirects you through several different domains. In testing, we kept hitting a Google 404 error but you may well end up somewhere else depending on region, type of browser, device, and so on.

If you’ve entered your login after clicking through from a random message in this fashion, stop what you’re doing. Go to Facebook and change your password as soon as you possibly can.

The power of “friendly” messaging

The big problem with rogue messages via IM is the aspect of sender trust. If a link is sent to you from a total stranger on a public platform like Twitter, you’ll probably be sceptical and treat it with the caution it deserves. An SMS from a number you don’t recognise? They have some success depending on scam type, but you’d probably expect a banking phish or a fake parcel delivery message through that route.

But if you get a message from someone within your closed network of friends and family, where you may interact dozens or even hundreds of times a day, then it’s likely you’ll be clicking those links with a lot more confidence.

Sadly, accounts belonging to those you trust can be hijacked like any others. If your dad’s Facebook account was compromised yesterday and you woke to a link and a message which reads “Look what I found here”, what would you do?

Phishers know that if they can crack an account, it’ll almost certainly be allowed to send messages to people in its immediate circle as their security settings will permit them access. After all, you don’t add your closest relatives to Facebook and then preventthem from sending you messages.

Tips to avoid falling for rogue messages

  • Watch out for messages which don’t logically follow on from the natural flow of a conversation, or a few hours after you stopped talking. “This you”, “Have you seen this photo”, “Did you hear who died”, “OMG I can’t believe it” all tied to a URL should raise some red flags.
  • If you’re presented with a “Login to view content” box, question why that is. If you’re on the Facebook website talking to someone and already logged in, there should be no reason why you’d be asked to login again. Check the URL. Does it say Or is it a totally unrelated domain?
  • If you have an alternative method of communication with the person who sent you the message, try it. Ask them if they sent you a message on Facebook, and wait for their response before doing anything.
  • Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t a silver bullet though, as more and more phishers are also taking 2FA codes with them when they phish your details.
  • Add login alertsto your Facebook account. If someone does manage to get hold of your login credentials and access your account, you’ll get notified by Facebook as soon as this happens so you can grab your account back as soon as possible.

Once your friend or family member regains access to their account, you can point them to these tips for keeping their own account locked down too. This way, you’ll be that little bit more safer next time account harvesting phishers are on the prowl.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.