Malicious Facebook Messenger Chatbots Used to Compromise Facebook Accounts

Risk:
high
Damage:
high
Platform(s):
Social Media
Advisory ID:
ngCERT-2022-0084
Version:
N/A
CVE:
N/A
Published:
July 4, 2022

Summary


As a follow-up to the May 23rd advisory on "Novel Use of Chatbots in Phishing Schemes," the use of a chatbot for phishing purposes is gradually gaining traction, particularly with the discovery of a campaign in which it is used to steal Facebook login credentials. The platform's ubiquitous messaging app, Facebook Messenger, is known to have an integrated chatbot feature. This provides threat actors with a large pool of potential victims who are not only familiar with but also believe in the feature.

Description & Consequence


The attack begins with an email to the intended victim informing them that their Facebook page is in violation of Community Standards and will be deleted if they do not appeal within two days. The user is then encouraged to click a big, bold, blue "Appeal Now" link, which will take them to the "support inbox."

By clicking the link, you will begin a Messenger conversation with a chatbot whose Facebook page is called "Page Support" and has no followers and little to no activity. The chatbot will then send a brief message explaining why the user's page has been marked for "permanent deletion," and will inform the user that they can appeal by clicking another "Appeal Now" link. By clicking on this link, the victim will be directed to a website that is not under the control of Facebook. In order to process the appeal, the phishing page (appeal-59321958.web.app/appeal.html) will request certain Personally Identifiable Information (PII). The victim's email address, mobile phone number, name, and page name are among the details requested. When you submit this form, a pop-up window will appear asking for your account password. Once the password is entered the victim will be taken to a fake Facebook page requesting for a two-factor authentication code. Checks have revealed that this page will accept any code, as it is just there to make the whole process seem legitimate. After this is done the victim is redirected to Facebook’s real intellectual property and guidelines page.

Successful exploitation allows hackers to do the following:

  1. Steal victim’s Facebook login credentials.
  2. Compromise the victims' Facebook accounts.
  3. Possess sensitive personal information that they can use to further their malicious activities.

Solution


  1. We advise everyone to be cautious when surfing the web and not to respond to unsolicited emails.
  2. Insist on the use of Secure Email Gateways (SEG) to protect against phishing emails, malicious messages, and attachments.
  3. Always double-check the URLs of websites that request sensitive personal information.

Reference


Revision


Related Articles