If you’ve ever wondered why cybercriminals are interested in your IM passwords…
…well, it’s not just so they can sneak into your account and snoop through your personal data with a view to abusing it themselves or selling it on to someone else who will.
Access to your account also gives crooks a level of trusted access to your friends and family that makes scams of all sorts much easier to pull off.
Whether it’s pitching a bogus investment plan, luring someone to a fake login page, persuading them to submit an application form for a non-existent job, or simply getting them to waste their money on useless, overpriced, shoddily made tat…
…well, it’s much more likely that a scammer will be able to talk you into clicking a link using a message that actually came from a friend’s account than if they just contacted you out of the blue.
Indeed, many users deliberately limit their “circles of contact” on social media and instant messaging services not just for privacy reasons but also to cut down on the sort of unsolicited messages, spams and scams they endure via email.
A menace to those around you
A scammer with your instant messaging or social media passwords is not only a menace to you, but also to those around you, as one of our readers discovered this evening when he received a note from a friend via Facebook Messenger that said:
Is it you in the video
From someone you didn’t know, a question like that would fall somewhere between bizarre and creepy, but from a friend, who wouldn’t want to take a look?
There is no video, of course – the black image links to a URL shortening service, which in turn redirects to a URL that pops up what looks like a Facebook login page:
The URL (redacted above) clearly has nothing to do with Facebook – it’s a randomly-generated server name on a boutique Hungarian web hosting platform – and, as you can see from the crossed-out padlock icon in the address bar, the site uses HTTP and not HTTPS.
Facebook was an early adopter of HTTPS-for-everything, giving up on HTTP altogether back in 2012, so any page that claims to represent Facebook but doesn’t have HTTPS is an unreconstructed fake.
Unfortunately, putting in your username and password into the fake login page above would submit them to a server running on a low-cost web hosting service in the USA, using a vaguely legitimate-looking domain name that was registered less than a month ago.
Our reader immediately assumed that his friend had himself recently recieved a similar (perhaps even an identical) message, and had not only clicked through but attempted to login, handing his password to the crooks and thus ensuring that all his contacts would soon be spammed in turn.
After the fake login page
This scam goes even further – whether as a distraction to buy a bit of time before victims realise they’ve been taken in and rush to change their Messenger passwords, or simply to give the crooks a second bite at the cherry, we don’t know.
After entering your password, there’s a short delay, as you might expect whan logging in to any online service, after which the crooks seem to pick from a range of other scams and redirect you to one of them randomly.
These didn’t look as though they were being run by the same criminals, so we’re assuming the message-spamming crooks were simply hoping to collect “affiliate fees” from other criminals in the underground.
These “second redirect” scams varied from specious VPN offers to a range of those “free” phone deals where all you need to do is pay a modest delivery fee (£1.95 in the variants we saw here), thus giving the crooks a believable excuse to collect your credit card details.
What to do?
- Use 2FA on any account you can. Adding a second factor of authentication means that the crooks can’t phish your password alone and then access your account. 2FA is a minor inconvenience to you, but a major roadblock for cybercrimimals.
- If you think your friend’s account has been hacked, contact them via some other method. Don’t reply via the very same account that you don’t trust – if it is a scam, you are just tipping off the crooks, who will lie to you and tell you everything is fine.
- If a friend lets you know your account was hacked, don’t delay. Get into your account as soon as you can (without clicking on any links that anyone just sent you!), assuming you can still access it, and change your password right away so the old password is useless to the criminals.
- Use a password manager. Password managers help in many ways: you automatically get a different password for every site; you get passwords that are random and can’t be guessed; it’s faster to change your password if you do get hacked; and it’s much harder to get phished because your password manager won’t put the right password into the wrong site.
- Use an anti-virus with a built-in web filter. Attacks of this sort generally don’t rely on sending malware to your computer, but instead rely on tricking you into uploading secret data like passwords from your computer. A web filter helps stop you landing on fake pages in the first place and therefore shields you from phishing. (Sophos Home has a web filter – there’s a free version for both Windows and Mac.)
Michael Downey
Good article. Have you written anything about the huge number of “Rewards” and “Surprises” supposedly sent by big stores like Costco, Tim Hortons and “Walmrat”? This looks to be a huge push by crims going on right now. I have 29 messages of the sort in my Gmail Spam folder.
Paul Ducklin
Not this time round but we have a collection of articles from recent months and years that deconstruct scams of that sort and others, including abuse of brands belonging to supermarkets, fast food chains, hardware stores, software companies, courier and delivery services, banks and other financial institutions, and… not forgetting, of course, those many, many “free” iPhones, the surveys” you are invited to take and those “jobs” that don’t exist . Try searching this site for words such as survey, scam, delivery, vish and smish (the last two are phishes via voice and SMS respectively).
Laurence Marks
Our volunteer agency is obliged to have a web page listing the officers and their contact information. We will eventually be moving to a system that supports web forms and will no longer reveal email addresses.
At this time we regularly see emails purportedly from the Treasurer to the President (or vice-versa) asking for iPhone gift cards for “an urgent situation.” Fortunately, good education has been sufficient to avoid any real problems.
Paul Ducklin
Could you use a generic address, like we do on Naked Security with “tips@sophos.com”, which is autoredirected not only to me but to whoever else is “on duty” at the time, so that [a] the submissions can easily and automatically be disentangled from our regular emails and [b] responses don’t depend on a specific person being available to reply?
Robbin
Good article. Thanks for sharing!!
Sid
My friend recently got “K4FI; is it you?” scam. This message was spammed in her contacts
Stuart
A scam video called “It’s you” was sent out from my Facebook Messenger account to all my contacts that have an account on Facebook. The video looks very like the image in this article. I presume it does the same thing.
I’m thinking of setting up two factor authentication on Facebook.
Paul Ducklin
I also suggest that you review which devices have logged into you account recently (kick out any you don’t recognise) as well as reviewing all the Facebook plugins on the Facebook apps page that have access to post to your account – you might find some leftover stuff you don’t use any more!
John Shiers
I had this happen to me last night and this video was sent to all my messenger contacts.
I reset my Facebook password and deleted the video from all contacts that it had been sent to.
Am l now safe or is there something else that l should do ?
Paul Ducklin
As long as you didn’t click through to the fake site and put in any personal data you should be fine.
Assuming that someone else has been inside your account, even if only briefly, you might want to revisit all your settings, posts, group memberships, friend lists and so on just to make sure there aren’t other unwanted changes left behind. You might as well review all the Facebook apps that are hooked into your account and revoke any you don’t recognise or no longer need… use this as a good excuse to review everything to do with privacy and security on your account!
Kandice
I clicked on the link that said “is this you in the video?” I then put in my Facebook password and it took me to a fake webpage. I was still confused and tried it the link again. It took me to a page saying that it wasn’t safe and suspicious activity. Later many of my contacts received the same message from me asking if it was them in the video. I deleted the link from all the messages that went out through messenger to my contacts. I have since changed my Facebook password. Do you think they still have access to my account? I’m so bad with technology, I don’t know if I should still be worried. Thanks!
Paul Ducklin
If you changed your password then the old one the crooks had is no longer any use so I’d suggest you are now back in control…
DiskHead
No, they do not have acess do your account if the password is secure enough, I recomend using a random password generotor and write it down on a peace of paper you keep with you, basiclly, they only get back in if the phisher attemps to crack the password.
Elle
Thanks for the article.
A friend had this happen to them and their messenger sent out these messages to all contacts. I did click on their link but then clicked out very quickly. I didn’t allow the page to load to the Facebook spam page asking users to put in their login info. So I haven’t entered my information into any website. Just simply clicked the link.
Do you think my account is safe? I have since changed my password and set up 2FA.
Thanks
Paul Ducklin
If you didn’t let the page load then you wouldn’t have been able to put any data into the form you never saw… so I am saying you are fine :-) You changed your password anyway just in case, which was a good move. And adopting 2FA won’t solve all your cybersecurity problems but it does make stolen data such as usernames and passwords less useful on their own to the crooks.
You could also go into your Facebook profile pages and review the list of devices currently logged in, and the list of Facebook apps you have authorised to access your account. Be prepared to be surprised… you may find old devices and old apps you had forgotten about, and take the opportunity to kick them out.
Elle
Thank you so much Paul for your quick reply and reassurance :) These scams are very anxiety inducing!
Erin Trites
Is there a way to delete the video in messenger, without deleting the whole set of messages?
Paul Ducklin
It’s just a message (the video is a ruse) so you should be able to delete it like any other message.
(I am not a Messenger user… any readers care to explain the sequence of taps or clicks to use?)
Erin Trites
I can definitely delete the whole series of messages, but that included ones from the past that I don’t want to delete. I’m looking to delete JUST the video. Usually, if you hold your finger down, , or swipe to the left, choices come up, including delete..not in messenger.
Jeff Baines
Depending on where you have FB Messenger open (either your computer or your phone) there is a way to delete the message in question on either device.
Your Phone: If you long press the message you want to delete, you will see the bar with a selection of emojis and just below that will be a bar with “reply”, “copy”, “forward” and “remove”. Press the “remove” button and the message will be deleted. Keep in mind that it will only be deleted on your end, not the sender’s.
Your PC, laptop, etc.: If you hover your pointer (this is for a Windows machine, BTW) over the message you want to delete, appearing to the right of the message will be an “emoji” button, a “reply” button and the “hamburger” (3 vertical dots) button. If you press the “hamburger” button you will see a bubble pop up that allows you to either remove or forward the message. Once again, when you remove the message, it will only be on your end and not the sender’s.
If you have any other questions, feel free to send me an email. Hope this helps.
Paul Ducklin
Thanks for the notes, Jeff!
Jeff Baines
Anytime! Always happy to help when and where I can. :)
Deniece
Thanks for the info, I entered my info into the phished facebook site, on my iphone, how much did that give them access to? do they have access to my home network? I was using my wifi.
Paul Ducklin
If you put in your Facebook password then the crooks now know what it is. So you need to change your password immediately to re-protect your account.
Anonymous
I got to the phished site by clicking the link but I didnt put in my credentials. Is my account safe?
Paul Ducklin
If what happened to you matches what you see above, you should be fine – the web page we investigated didn’t contain any “active tricks” such as trying to attack bugs in your browser. So visiting the fake page simply displayed the fake form. The form on its own was harmless as long as you didn’t type anything into it.
Elle
Hi Paul, I wrote to you a couple of months ago as I fell into this Facebook scam. This morning I received a text message from a fake DHL account saying that my parcel will be delivered today. I stupidly clicked on the link (as I do have a parcel arriving today and didn’t think it through properly..). Anyway as soon as I clicked on it it opened a page saying I’d won a iPhone 12 and I quickly exited the page. Similar question as before but do you think anything (malware) was downloaded onto the phone? I have an iPhone btw and have cleared my history and cookies.
Thanks in advance,
Elle
Paul Ducklin
I suspect ou are OK. Those surveys generally rely on sucking you in to enter more and more data “willingly”, rather than trying to implant malware and steal it outright. (Some surveys go out of their way to tread along the thin line between legal and dodgy by making you do all the data entry and them claiming it’s a case of a willing participant.)
If you bailed at once I would say you are OK.
Elle
Thanks for your reply Paul. Out of curiosity have you heard of the DHL Scam message?
Is it possible to ever find out if a phone has been hacked? Best to probably just change passwords etc..
Thank you so much!
Paul Ducklin
Here’s an example of a recent DHL scam:
https://nakedsecurity.sophos.com/2020/05/13/beware-the-dhl-delivery-message-email-it-could-be-a-package-scam/
The crooks often vary the courier company to suit your region, e.g. Canada Post, Royal Mail:
https://nakedsecurity.sophos.com/2020/03/26/watch-out-scummy-scammers-target-home-deliveries/
As for “have you been hacked”, the most likely outcome from one of these scams is compromised accounts, so change your passwords if you think the crooks now know them (before they change them for you!), keep an eye on credit card statements, and while you are about it, why not get rid of lesser-known apps that you aren’re sure about and don’t use often, following the “less is more” principle?
Raffy Rockets
Hey, I just fell for this scam today, and unfortunately did enter my credentials to “login” to facebook… After I realised it’s a scam, and tried changing my password but the email connected to my FB is no longer in use. What should I do? (note: I don’t use FB anymore however I still had messenger installed and logged in on the phone)
Paul Ducklin
Can you shut down the account completely without needing to receive a confirmation email? (I imagine not, but who can say?) If you genuinely don’t use FB then you might as well not have an account at all, which means you can’t get compromised (because none of your data is in there).
If you want to keep the account just in case, or because the name is so clearly associated with you that you don’t want anyone else messing around with it, you may need to follow Facebook’s “manual” recovery procedure (which may involve freaky stuff like emailing scans of a personal ID and so on).
Alex Sánchez
Hello Paul
I just got this and i logged in my credentials, i realized inmediatly after it was a scam and changed my password within 3 minutes.
I don’t know if this helps, but i logged in because when I clicked the “user” space all my emails for facebook showed, like it was a real page (I have different emails for school and work and family and they all showed). I just clicked the one I was going to use.
Is there a chance they automatically or manually downloaded or cloned my Facebook information in those 3 minutes? I like to think they check their program every few hours to see how many credentials they got, and in the meantime i changed my password and im safe. But who knows…
I haven’t seen anything sent from my inbox or home page in the last hour since it happened.
Paul Ducklin
If the crooks correctly got your password, it’s no use to them now you have changed it. (The fact that the old one still worked for you 3 mins later at least means the crooks had not been able to lock you out of your own account in that time by changing the password for you!)
If you haven’t seen any bogus messages sent on your behalf then it looks as though you beat them to it.
Facebook does have a “login history” page where you can look for the times and places of any successful logins. Assuming that the crooks are not in your home town means that any rogue logins ought to show up there.
HtH.
Marsha
Thank you for.sharing this. I just got one today off a friend that I didn’t know she had been hacked justvgad mins before. my gosh when will they stop. But I never was able to access it . So would they be able to get my stuff ?
Paul Ducklin
If the site wasn’t working by the time you got the fake message, I’d say you’re OK.
Work Time
Thank you. There has been a lot of such spam lately. And you need to have good web protection
Amit Panwar
I also fall today for this video scam when I clicked on it then it didn’t open any new tab but opened youtube app latest video so I am not sure what information is actually stolen, as soon as I get to know this is a spam then I changed my password from facebook and gmail. Now I don’t know if there should be anything where I should be concerned.