Skip to content
Naked Security Naked Security

Facebook 2FA scammers return – this time in just 21 minutes

Last time they arrived 28 minutes after lighting up their fake domain... this time it was just 21 minutes

Have you ever come really close to clicking a phishing link simply through coincidence?

We’ve had a few surprises, such as when we bought a mobile phone from a click-and-collect store a couple of years back.

Having lived outside the UK for many years before that, this was our first-ever purchase from this particular business for well over a decade…

…yet the very next morning we received an SMS message claiming to be from this very store, advising us we’d overpaid and that a refund was waiting.

Not only was this our first interaction with Brand X for ages, it was also the first-ever SMS (genuine or otherwise) we’d ever received that mentioned Brand X.

What’s the chance of THAT happening?

(Since then, we’ve made a few more purchases from X, ironically including another mobile phone following the discovery that phones don’t always do well in bicycle prangs, and we’ve had several more SMS scam messages targeting X, but they’ve never lined up quite so believably.)

Let’s do the arithmetic

Annoyingly, the chances of scam-meets-real-life coincidences are surprisingly good, if you do the arithmetic.

After all, the chance of guessing the winning numbers in the UK lottery (6 numbered balls out of 59) is an almost infinitesimally tiny 1-in-45-million, computed via the formula known as 59C6 or 59 choose 6, which is 59!/6!(59-6)!, which comes out as 59x56x55x54x53x52/6x5x4x3x2x1 = 45,057,474.

That’s why you’ve never won the jackpot…

…even though quite a few people have, over the many years it’s been going.

In the same way, phishing crooks don’t need to target or trick you, but merely to trick someone, and one day, maybe, just maybe, that someone might be you.

We had a weird reminder of this just last night, when we were sitting on the sofa, idly reading an article in tech publication The Register about 2FA scamming.

The first surprise was that at the very moment we thought, “Hey, we wrote up something like this about two weeks ago,” we reached the paragraph in the El Reg story that not only said just that, but linked directly to our own article!

What’s the chance of THAT happening?

Of course, any writer who says they’re not bothered whether other people notice their work or not is almost certainly not to be trusted, and we’re ready to admit (ahem) that we took a screenshot of the relevant paragraph and emailed it to ourselves (“purely for PR documentation purposes” was the explanation we decided on).

Now it gets weirder

Here’s where the coincidence of coincidences gets weirder.

After sending the email from our phone to our laptop, we moved less than two metres to our left, and sat down in front of said laptop to save the attached image, only to find that during the couple of seconds we were standing up

…the VERY SAME CROOKS AS BEFORE had emailed us yet another Facebook Pages 2FA scam, containing almost identical text to the previous one:

What’s the chance of THAT happening, combined with the chance of the previous coincidence that just happened while we were reading the article?

Sadly, given the ease with which cybercriminals can register new domain names, set up new servers, and blast out millions of emails around the globe…

…the chance is high enough that it would be more surprising if this sort of co-incidence NEVER happened.

Small changes to the scam

Interestingly, these crooks had made modest changes to their scam.

Like last time, they created an HTML email with a clickable link that itself looked like a URL, even though the actual URL it linked to was not the one that appeared in the text.

This time, however, the link you saw if you hovered over the blue text in the email (the actual URL target rather than the apparent one) really was a link to a URL hosted on the facebook.com domain.

Instead of linking directly from their email to their scam site, with its fake password and 2FA prompts, the criminals linked to a Facebook Page of their own, thus giving them a facebook.com link to use in the email itself:

This one-extra-click-away trick gives the criminals three small advantages:

  • The final dodgy link isn’t directly visible to email filtering software, and doesn’t pop up if you hover over the link in your email client.
  • The scam link draws apparent legitimacy from appearing on Facebook itself.
  • Clicking the scam link somehow feels less dangerous because you’re visiting it from your browser rather than going there it directly from an email, which we’ve all been taught to be cautious about.

We didn’t miss the irony, as we hope you won’t either, of a totally bogus Facebook Page being set up specifically to denounce us for the allegedly poor quality of our own Facebook Page!

From this point on, the scam follows exactly the same workflow as the one we wrote up last time:

https://nakedsecurity.sophos.com/2022/07/01/facebook-2fa-phish-arrives-just-28-minutes-after-scam-domain-created/

Firstly, you’re asked for your name and other reasonable-sounding amounts of personal information.

Secondly, you need to confirm your appeal by entering your Facebook password.

Finally, as you might expect when using your password, you’re asked to put in the one-time 2FA code that your mobile phone app just generated, or that arrived via SMS.

Of course, as soon as you provide each data item in the process, the crooks are using the phished information to login in real time as if they were you, so they end up with access to your account instead of you.

Last time, just 28 minutes elapsed between the crooks creating the fake domain they used in the scam (the link they put in the email itself), which we thought was pretty quick.

This time, it was just 21 minutes, though, as we’ve mentioned, the fake domain wasn’t used directly in the bogus email we received, but was placed instead on an online web page hosted, ironically enough, as a Page on facebook.com itself.

We reported the bogus Page to Facebook as soon as we found it; the good news is that it’s now been knocked offline, thus breaking the connection between the scam email and the fake Facebook domain:

What to do?

Don’t fall for scams like this.

  • Don’t use links in emails to reach official “appeal” pages on social media sites. Learn where to go yourself, and keep a local record (on paper or in your bookmarks), so that you never need to use email web links, whether they’re genuine or not.
  • Check email URLs carefully. A link with text that itself looks like a URL isn’t necessarily the URL that the link directs you to. To find the true destination link, hover over the link with your mouse (or touch-and-hold the link on your mobile phone).
  • Don’t assume that all internet addresses with a well-known domain are somehow safe. Domains such as facebook.com, outlook.com or play.google.com are legitimate services, but not everyone who uses those services can be trusted. Individual email accounts on a webmail server, pages on a social media platform, or apps in an online software store all end up hosted by platforms with trusted domain names. But the content provided by individual users is neither created by nor particularly strongly vetted by that platform (no matter how much automated verification the platform claims to do).
  • Check website domain names carefully. Every character matters, and the business part of any server name is at the end (the right-hand side in European languages that go from left-to-right), not at the beginning. If I own the domain dodgy.example then I can put any brand name I like at the start, such as visa.dodgy.example or whitehouse.gov.dodgy.example. Those are simply subdomains of my fraudulent domain, and just as untrustworthy as any other part of dodgy.example.
  • If the domain name isn’t clearly visible on your mobile phone, consider waiting until you can use a regular desktop browser, which typically has a lot more screen space to reveal the true location of a URL.
  • Consider a password manager. Password managers associate usernames and login passwords with specific services and URLs. If you end up on an imposter site, no matter how convincing it looks, your password manager won’t be fooled because it recognises the site by its URL, not by its appearance.
  • Don’t be in a hurry to put in your 2FA code. Use the disruption in your workflow (e.g. the fact that you need to unlock your phone to access the code generator app) as a reason to check that URL a second time, just to be sure, to be sure.
  • Consider reporting scam pages to Facebook. Annoyingly, you need to have a Facebook account of your own to do so (non-Facebook users are unable to submit reports to help the greater community, which is a pity), or to have a friend who will send in the report for you. But our experience in this case was that reporting it did work, because Facebook soon blocked access to the offending Page.

Remember, when it comes to personal data, especially passwords and 2FA codes…

If in doubt/Don’t give it out.


2 Comments

Do you really think these things are coincidental though Paul? When I started to read your article I was assuming you were going to say otherwise. I helped change my father in-laws British Telecoms Broadband contract recently and the day the change went ahead he had a phishing BT telephone call. Obviously it could have happened any day but things like that do make you wonder about the timing.

It’s not *always* coincidental, I suppose… or, at least, you can never be sure.

But here’s the thing: on a typical day, I get multiple scam calls claiming to be from a well-known online shopping brand (think of a greatly endangered rainforest) that I have never in my life bought anything from. So if I ever give in and buy my first item via their system…

…I’m pretty sure in advance that I will receive a fake call “about my delivery” or “in reference to the service” within a few hours of placing my order. It would be like a coincidence that was essentially baked into the system already, simply on account of the high volume of scams that are happening against major brands.

The main thing is that it’s OK to be *suspicious* about the timing, as though the crooks “must have had insider knowledge” (because that means you’ve nevertheless spotted the scam), but it’s vital not to be *softened up* by coincidence, as though the crooks “couldn’t possibly have guessed” and thus the call must surely be legitimate (because that means the coincidence has tricked you into trusting a scammer).

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?