Advisory ID: NCC-CSIRT-260124-002
Summary:
A widespread phishing campaign is currently circulating on Facebook with a message that reads, "I can't believe he is gone. I'm gonna miss him so much." This campaign is extensively propagated through the accounts of friends of the victims. Scammers exploit the Facebook accounts of targeted victims to disseminate harmful links masquerading as Facebook posts or news articles related to a person's demise. The perpetrators behind this scam aim to gather a large pool of hijacked accounts, intending to utilize them in subsequent attacks on the social media platform. The fraudulent links redirect compromised users to a website designed to steal their Facebook credentials.
Threat Type(s): Phishing
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Mobile Devices, and Desktop Computers
Platform(s): Facebook
Version(s): All Versions
Description:
The Facebook phishing posts come in two forms, with one simply stating, "I can't believe he is gone. I'm gonna miss him so much," and containing a Facebook redirect link. The other uses the same text but shows what appears to be a BBC News video of a car accident or other crime scene. According to the BleepingComputer, two links in the phishing posts, brought victims to different sites depending on the type of device used. Clicking on the link from the Facebook app on a mobile device will bring victims to a fake news site called 'NewsAmericaVideos' that prompts them to enter their Facebook credentials to confirm their identity and watch the video. To convince victims to enter their password, they show what appears to be a blurred-out video in the background, which is simply an image downloaded from Discord. If they enter the Facebook credentials, the threat actors will steal them, and the site will redirect them to Google. The threat actors likely use the stolen credentials further to promote the same phishing posts through the hacked accounts. Likewise, visiting the phishing pages from a desktop computer causes a different behavior, with the phishing sites redirecting victims to Google or other scams promoting VPN apps, browser extensions, or affiliate sites.
Consequences:
The phishing post look more convincing and trustworthy, leading many to fall for the scam as they come from their friends' accounts.
Solution:
- Do not click on links and URLs that appear suspicious or unfamiliar to you.
- Since the phishing attack does not aim to steal two-factor authentication (2FA) tokens, it is highly recommended that Facebook users activate 2FA to safeguard their accounts in the event of falling victim to a phishing scam. With 2FA enabled, only the user possesses access to the 2FA codes, ensuring that even if their credentials are compromised, unauthorized logins are prevented.
- While configuring two-factor authentication on Facebook, opt for an authentication app instead of relying on SMS texts, as phone numbers are susceptible to theft in SIM swapping attacks.
References:
- https://www.bleepingcomputer.com/news/security/watch-out-for-i-cant-believe-he-is-gone-facebook-phishing-posts/
- https://www.verifythis.com/article/news/verify/scams-verify/rip-dead-facebook-post-message-scam/536-efb6c9b7-5995-4b3a-a9b3-c797f99f3e05
- https://www.news9live.com/technology/tech-news/cant-believe-gone-facebook-scam-cybersecurity-hacking-hackernews-explained-2414635
- https://www.blackhatethicalhacking.com/news/widespread-i-cant-believe-he-is-gone-facebook-phishing-scam-targets-users-through-hacked-accounts/