This morning I woke up to several WhatsApp messages from my friends and family seeking help with their Facebook accounts. As the unpaid tech expert in my clan, requests for tech help are not unusual at all. What was unusual was the sheer number of messages. The second unusual thing was that they were all about one specific app: Facebook.
They all had a similar story too. Their Facebook accounts seem to have been hacked and someone was busy sending messages to all their contacts. The strange message to all contacts was just one link that appears to be to point to a YouTube Video. The preview caption on the video had the words “It looks like you.” The preview image was dark with barely visible figures.
They also had another interesting bit to share. A few days prior, they also had received such a message from at least one of their contacts/friends. They had all clicked/tapped on this message as they were curious as to what the message was all about. Nothing special had happened after clicking the link and they had all but forgotten about it.
One of these people had an even sadder story to share. They haven’t been on Facebook for the past few weeks after visiting friends in rural Zimbabwe during the Christmas holiday. Now they couldn’t log into their account. Not only that, none of their friends (including me) could find their Facebook profile. Either his account has been deleted or deactivated and that was not before it sent out the strange “it looks like you” message to friends.
What the post-mortem shows
Just as I was doing a back and forth trying to get to the bottom of this mystery my wife walked in with her phone complaining about a hack. She had about 50 messages from friends and family telling her they couldn’t open the message she had sent to them. The thing is she hadn’t sent the message.
A quick investigation showed that someone was still logged into her account and had last been active 12 hours ago. Like in the middle of the night when she was sleeping. The person seems to be using an Amazon Fire 7 device although that could be a lie. Such stuff can be easily faked. We have never had an Amazon product so that was a red flag. This person (more likely a script) had been lurking for three weeks without attracting attention.
This is the modern-day version of the famous “I love you” worm. It simply relies on the trust you have for messages from your family and friends. The video that appears to be from YouTube is not even a video it’s just an image with the YouTube information Photoshoped in. The link points to somewhere else. Unfortunately, I couldn’t follow it as Facebook had already nuked it. The message also seems to be one of several similar messages and the link also evolves presumably in order to stay ahead of Facebook’s systems.
I can only assume that once you tap on the live link in the Facebook app the malware steals you credentials. It’s not clear how but past versions of the scam also rely on a bit of social engineering. The user is presented with a login screen that resembles that of Facebook. If a user enters their credentials the credentials are stolen and the screen dissappears.
NB
Last week I also discovered an interesting such social engineering scam but this one was trying to steal my email credentials. I was curious and wanted to feed it fake information but these guys were clever. As soon as I entered fake credentials, the page quickly used Ajax and some backend script to test them and presented me with an error telling me the credentials were incorrect. This bit of ingenuity would allow the malware owners to only collect working accounts!
How to clean and protect your account
A quick Google search shows that this social engineering scam is quite popular and is not even new. The sad truth is that most Zimbabweans who are on Facebook are not known for their tech prowess. Those who use it as their primary/secondary (after WhatsApp), tend to be older and less tech-savvy. They are certainly not anything like the Telegram,IG,SC or even the Twitter clubs.
Cleaning and protecting your account is not hard:
- First, you need to change your password. Avoid using the same password for everything. I recommend using Lastpass. To be fair this would not have thwarted the attack because the scam literally asked people to enter their credentials. However, Lastpass would have thrown up a warning as the page used to steal the credentials was not owned by Facebook
- Before you enter your credentials always check domain name in the address.
- Avoid clicking on links. I always prefer going to YouTube and searching for the video myself instead of clicking on links.
- Once you have changed your password:
- Go to settings
- Select Security and login
- Select where you are logged in
- Tap/click on see more
- Log out of all devices that don’t belong to you. If you are not sure log out of all devices
- Turn on two-factor authentication. This would have fended off this feeble attack as the attacker would not have been able to log in. However, with social engineering and determination, this can also be defeated but it makes it very hard to log into your account.
- Go to settings
- Select Security and login
- Scroll down until you get to two-factor authentication settings
- Click or tap on edit two-factor authentication
- You have two options here. Use SMS messages or use Authenticator apps like Google Authenticator
- I recommend the SMS route as the Google Authenticator route has issues that might make it unsuitable for people who are not technically gifted
- Enter your phone number and confirm the code that comes to your phone
- Now every time you log in from a new device you have to enter an SMS code
- You can also go back to the Security and Login tab and generate backup codes for use in case you are somehow unable to enter a code. Write these somewhere and keep them safe. I mean under lock and key here.
- Clean up your account by visiting https://facebook.com/hacked. The tool will walk you through a cleanup exercise including removing posts, comments and friends that are not yours. Facebook is also used by some to authenticate into other services. This functionality can be leveraged by hackers to extend the damage. With this tool, you can see such sites and apps and whether they have been recently accessed or altered.
- Message your friends telling them to not open the link you sent them earlier as your account was hacked.
Be vigilant
You should always familiarise yourself with basic security if you want to stop being an easy mark online. I am always shocked by how a lot of Zimbos are illiterate when it comes to basic security. People using their middle names as passwords. These days they mix it up with a few numbers at the end or a punctuation mark. That’s not going to stop most scripts.
Be on the look out for attacks and hacks like this. Do not trust links. Links are dangerous in general. Specially crafted links can be your undoing. Always ask what this is about when someone DMs you a link. Your real friends will often be happy to shed light, automated scripts don’t bother to reply. They simply move on to the next mark which is happily not you.
You can also do a quick Google search when confronted with something you don’t know. You remember Google right? Googling “is this you” would have solved a lot of these problems.
I know I am wasting my time here. My aunts, uncles, cousins and mother will still message me with their next crisis. It will be probably because they have done something dumb like this again. Such is my life.
5 comments
The link pointed to an phishing page that was hosted on AWS S3. The page had the new Facebook design
Thanks for the update. It makes sense. Few people verify the URLobile
I believe as techzim you should have a link to a page of yours whereby people learn the ins and outs of cyber security in laymen’s terms, soan phishing, ponzi schemes and all. With the recent mention from zbin you are the go-to website for everything tech.
The internet is not a safe place
Kana musingazvihwisisi Sianai nazvo
Getting hacked or not,,these people have all our details with them!wondering what they wish to use them for!