Site icon Sophos News

Facebook 2FA scammers return – this time in just 21 minutes

Have you ever come really close to clicking a phishing link simply through coincidence?

We’ve had a few surprises, such as when we bought a mobile phone from a click-and-collect store a couple of years back.

Having lived outside the UK for many years before that, this was our first-ever purchase from this particular business for well over a decade…

…yet the very next morning we received an SMS message claiming to be from this very store, advising us we’d overpaid and that a refund was waiting.

Not only was this our first interaction with Brand X for ages, it was also the first-ever SMS (genuine or otherwise) we’d ever received that mentioned Brand X.

What’s the chance of THAT happening?

(Since then, we’ve made a few more purchases from X, ironically including another mobile phone following the discovery that phones don’t always do well in bicycle prangs, and we’ve had several more SMS scam messages targeting X, but they’ve never lined up quite so believably.)

Let’s do the arithmetic

Annoyingly, the chances of scam-meets-real-life coincidences are surprisingly good, if you do the arithmetic.

After all, the chance of guessing the winning numbers in the UK lottery (6 numbered balls out of 59) is an almost infinitesimally tiny 1-in-45-million, computed via the formula known as 59C6 or 59 choose 6, which is 59!/6!(59-6)!, which comes out as 59x56x55x54x53x52/6x5x4x3x2x1 = 45,057,474.

That’s why you’ve never won the jackpot…

…even though quite a few people have, over the many years it’s been going.

In the same way, phishing crooks don’t need to target or trick you, but merely to trick someone, and one day, maybe, just maybe, that someone might be you.

We had a weird reminder of this just last night, when we were sitting on the sofa, idly reading an article in tech publication The Register about 2FA scamming.

The first surprise was that at the very moment we thought, “Hey, we wrote up something like this about two weeks ago,” we reached the paragraph in the El Reg story that not only said just that, but linked directly to our own article!

What’s the chance of THAT happening?

Of course, any writer who says they’re not bothered whether other people notice their work or not is almost certainly not to be trusted, and we’re ready to admit (ahem) that we took a screenshot of the relevant paragraph and emailed it to ourselves (“purely for PR documentation purposes” was the explanation we decided on).

Now it gets weirder

Here’s where the coincidence of coincidences gets weirder.

After sending the email from our phone to our laptop, we moved less than two metres to our left, and sat down in front of said laptop to save the attached image, only to find that during the couple of seconds we were standing up

…the VERY SAME CROOKS AS BEFORE had emailed us yet another Facebook Pages 2FA scam, containing almost identical text to the previous one:

What’s the chance of THAT happening, combined with the chance of the previous coincidence that just happened while we were reading the article?

Sadly, given the ease with which cybercriminals can register new domain names, set up new servers, and blast out millions of emails around the globe…

…the chance is high enough that it would be more surprising if this sort of co-incidence NEVER happened.

Small changes to the scam

Interestingly, these crooks had made modest changes to their scam.

Like last time, they created an HTML email with a clickable link that itself looked like a URL, even though the actual URL it linked to was not the one that appeared in the text.

This time, however, the link you saw if you hovered over the blue text in the email (the actual URL target rather than the apparent one) really was a link to a URL hosted on the facebook.com domain.

Instead of linking directly from their email to their scam site, with its fake password and 2FA prompts, the criminals linked to a Facebook Page of their own, thus giving them a facebook.com link to use in the email itself:

This one-extra-click-away trick gives the criminals three small advantages:

We didn’t miss the irony, as we hope you won’t either, of a totally bogus Facebook Page being set up specifically to denounce us for the allegedly poor quality of our own Facebook Page!

From this point on, the scam follows exactly the same workflow as the one we wrote up last time:

https://nakedsecurity.sophos.com/2022/07/01/facebook-2fa-phish-arrives-just-28-minutes-after-scam-domain-created/

Firstly, you’re asked for your name and other reasonable-sounding amounts of personal information.

Secondly, you need to confirm your appeal by entering your Facebook password.

Finally, as you might expect when using your password, you’re asked to put in the one-time 2FA code that your mobile phone app just generated, or that arrived via SMS.

Of course, as soon as you provide each data item in the process, the crooks are using the phished information to login in real time as if they were you, so they end up with access to your account instead of you.

Last time, just 28 minutes elapsed between the crooks creating the fake domain they used in the scam (the link they put in the email itself), which we thought was pretty quick.

This time, it was just 21 minutes, though, as we’ve mentioned, the fake domain wasn’t used directly in the bogus email we received, but was placed instead on an online web page hosted, ironically enough, as a Page on facebook.com itself.

We reported the bogus Page to Facebook as soon as we found it; the good news is that it’s now been knocked offline, thus breaking the connection between the scam email and the fake Facebook domain:

What to do?

Don’t fall for scams like this.

Remember, when it comes to personal data, especially passwords and 2FA codes…

If in doubt/Don’t give it out.


Exit mobile version