This is how the Facebook phishing scam that targeted us worked

A Facebook phishing scam targeting page admins hit our inbox today, so we decided to show you exactly how this scam worked.

We suspect the crooks just aren’t really paying much attention when they’re sending out their scams to anti-scam Facebook pages. Or perhaps they’re just really optimistic, or confident. Who knows. But it always gives us a good chance to play along so we can show you exactly how a phishing scam works.

This particular scam is a phishing scam targeted as anyone who admins a Facebook page. For the most part, it’s a typical phishing scam, only with a slight unexpected turn in that it uses a user-generated “notes” page hosted on Facebook to make the scam appear more convincing. Here’s how the scam worked from start to finish, in its 3 parts.

1. The Hook.

Most phishing scams start off with a hook. A message to lure you in. Sometimes it’s an email. Sometimes a phone call. Or in this case, a chat message that lands in our inbox.

The message claims to be from the Facebook Support Team, and tells us that our page has made a post that goes against Facebook’s policy on driving traffic to poor quality websites, and that we must click a link to “verify” our page, or else the page will be suspended.

Here’s the hook, in its entirety…

As far as the social engineering part goes (that’s the “story”) it’s pretty par for the course. Crooks want to alarm potential victims into acting, and threatening to suspend a user’s Facebook page while pretending to be Facebook has proved an effective way of doing that.

What’s clever (and unusual) with the above message is that the link in the message is a Facebook link (it begins with Facebook.com.) So we clicked it to see what the next step of the scam would be.


Sponsored Content. Continued below...




2. The “notes” Facebook page

As indicated above, the link was leading us to a page on Facebook, and so it did. However that page was actually a user-generated “notes” page. Facebook Notes is a lesser known feature on the social networking platform that allows Facebook users to write notes and share them with others.

Here, the crook has wrote a note that appears to look like a complaint report and asks us to submit an appeal (in keeping with the hook of the scam.) Admittedly the crooks appear to have crossed wires, since the policy violation mentioned in the hook about driving traffic to poor quality websites seems to have changed to a copyright infringement complaint. Poor effort on the scammers behalf, but we’re pretending not to notice and went to click the link to “submit an appeal”.

But before we do, turn your attention back to the image above, and look closely at the bar along the bottom. That’s the status bar of our desktop browser, that shows the true destination of the link in the message when we hover our cursor over it.

It appears that, in Facebook Notes, users can obfuscate links. That is to say, they can make a link appear to belong to one domain when it actually goes to another. So while this link appears to be going to another Facebook page, it’s actually a bit.ly link, which could potentially take us anywhere.

So at this point, we’re expecting to be taken away from the relative safety of the confines of Facebook.


Sponsored Content. Continued below...




3. The spoof website

And that’s exactly what happens as we get taken to the below webpage.

It may appear that we’re still on Facebook, but the URL address in the address bar gives the game away. The web domain, facebook.com-activitys.help is a domain that doesn’t belong to Facebook. That means it’s a run-of-the-mill spoof phishing website designed to look like Facebook in order to trick visitors into handing over sensitive information. In this case, the page above is asking for the identity of a page and your date of birth, before then…

…asking for the important stuff, such as your Facebook username and password, giving them access to your Facebook account (that is, if you don’t have two factor authentication enabled, which you definitely should. Here’s how.)

For the most part, it’s a standard phishing scam. The crook contact you pretending to be Facebook, lure you into visiting a spoof website which then tricks you into handing over sensitive information, such as your password.

So be careful out there, and if you’re in control of a Facebook page, don’t put it in jeopardy by falling for a scam like this. Facebook won’t (and don’t need to) send you messages to your page’s inbox. Also, make sure you always check the URL address of every page you visit, because sooner or later, phishing scams will try and lure you away from the Facebook.com domain.