A recent social engineering attack that targeted Facebook accounts hit very close to home. One of my friends mentioned to me that his account was no longer accessible and that his password was not working. He even found his primary email address changed to another email. So I went onto Facebook to see his wall posts and I found scam messages offering a free giveaway.
The scam, which offers free mobile battery recharge coupons, links to a fake website and appears as a wall post:
The scam automatically post this status on the wall to convince other friends to click on that link and get the “free” recharge. The post has a clear-text website address that points to the malicious website. Once users click on that link, they will be taken to the website, which asks for their Facebook account details.
Obviously this is a scam to steal Facebook account details. The victims, thinking they are getting mobile recharge minutes, blindly enter their real Facebook credentials. Once they click on the Log In button, they will be taken to another page. The account information has already been sent to the attacker’s server via the HTTP POST request. The site never even validates the credentials with the real Facebook, so even if you enter fake information, it will take you to a new page where you will be asked to answer a few surveys. For this post, we entered fake information and took some network packet captures. The next screenshot shows where user information is sent to the malicious server controlled by the attacker:
The Facebook username and password are sent in clear text in the HTTP POST request. While redirecting the new victim to the survey page, the same scam message is posted on that user’s wall to further spread the attack. Here is the survey page:
Victims are required to complete the surveys to get the recharge coupons, which do not exist. The attacker’s motive is simply to steal real Facebook credentials and to earn money with the help of the surveys.
We have learned from a few victims that their accounts were totally compromised after falling prey to this scam. The attacker not only changed their account passwords but also deleted their primary information such as email addresses. Even if the victims try to reset their passwords, they will never get the password reset email from Facebook.
Be careful when responding to lures and “offers” such as these. If a deal sounds too good to be true, it most likely is.