How many times has a friend of yours posted on Facebook “My account has been hacked, don’t click on any messages from me”?
A massive phishing campaign that utilized Facebook messenger was recently uncovered. This campaign served two purposes for the attackers.
- Serve ads to victims to earn money on ad clicks
- Compromise account credentials using phishing sites with fake log-in pages to further the phishing campaign.
Usually, the message came from someone you know who already had their account compromised. The original article is on Bleeping Computer (link below).
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted, and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks it’s time to educate.
Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client-focused security-minded proactive IT service provider. Hello and welcome to episode nine phishing through social engineering. And we’re going to use bleeping an article from bleeping computer again this week. I don’t like I don’t usually go for the same source twice. But bleeping computer is a really good site. They don’t talk a lot about social engineering, but they do a little bit and obviously, so we have a couple of two weeks in a row now podcasts with social engineering ties on bleeping computer. And this article is massive Facebook Messenger phishing operation generates millions. And this really shouldn’t come as a surprise to anybody who’s familiar with social engineering. Many of us get scammed on Facebook, Instagram, Twitter, and not so much on LinkedIn, but it can happen on LinkedIn and other platforms. A lot. It happens a lot. And while I have not been successfully scammed on any of those platforms, I certainly get my fair share of attempts. And how so how does it happen in this article, talks about how it happens a little bit. And it says researchers have uncovered a large-scale fishing operation that abused Facebook and messenger, which means that you could conceivably think WhatsApp as well. And I have gotten messages on WhatsApp as well. To lower millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends generating significant revenue via online advertising commissions. So while it’s not you would think, okay, they’re just, you know, they’re just getting people to click on ads, and they’re making money off of that you can, you know, sign up as an affiliate and make money off of ads. I’ve done this with AdSense in the past and not currently doing it anywhere. I’ve done this with Amazon as well. Of course, my methods are a little more ethical, these are not ethical methods. So they send in, send you a message from somebody who claims to be your friend. In reality, that account has been compromised, and And chances are, you’re clicking on, as it says you’re clicking on a link in and logging in. They’re stealing your credentials, too. So now they’re going to use your account to do the same thing. So how does this happen? So I’m going to tell you story of a family member who had their Instagram account compromised. And the way it happens, usually, not always, but usually. So sometimes it can be through guessing your password. So if I know you, or have some idea through social engineering methods, what your password might be, you know, let’s say you talk a lot about your pet dog. And you know, the name and everything, you just share information all the time or your children. They might attempt to use that as a password. Also, on the dark web, there are, there may be billions at this point put at least in the hundreds of millions of passwords and usernames, you know, credentials available on the dark web for free. I can go on the dark web right now. As a matter of fact, I think there’s some websites that aren’t even on the dark web that are just on the regular internet, where you can go and you can purchase credentials, you can purchase 10,000 credentials for very few dollars. And I mean very few dollars and then you try those credentials and variations of those credentials against different websites so I can go now to Instagram. I now say I now find The account, let’s say the family member’s name is Lisa. I don’t know of any family members named Lisa. So don’t try. But let’s say my family member members name is Lisa, extended family. They, their email is Lisa firstname.lastname@example.org, I find that email on the list of credentials that have been stolen, I already have your Instagram user ID because I’m following you on Instagram or I’ve looked you up on Instagram, I have your now your your email just in a password you’ve used with that email address on another platform, I then try that with Instagram, it doesn’t work. Okay, I changed some of the characters, I make something up because I have a symbol at the end. Everybody loves exclamation points.
It works, I get it. And after a few attempts, you don’t have two-factor authentication setup. That’s another podcast that was let me tell you what podcast that was episode. That was episode six. So go back and listen to that. But you don’t have multi-factor authentication turned on or two-factor authentication depending on how you’re doing it. And now I get into your account, Change Password, now you’ve changed the email address tied to it. Probably the same email just that was on that dark web list. And now you have no access to it. And I can do whatever I want with it in my family members case, they tried to sell it back. Now, they were able to get it back without having to sell it without having to purchase it that I’m aware of this is what they that I was told I did not get involved. But they had their account compromised. They never disclosed how but that would be my guests that their information was out there on the dark web and that information would you use to log into the Instagram account. As humans, we have a tendency to reuse the same password. And that is a big mistake. Or we’ll use variations of password. Or another one I heard just recently, you use let’s say my password is password, please don’t use that as your password. But let’s say my password is password. And I want to but I want different passwords for every platform. Because you know, I hear so many people, I hear Scott all the time yelling, hey, you need a different password for everything. So I do is password, dot Facebook, and then for Facebook and then password done Instagram for Instagram and so forth. And so this is a bad practice as well. The best practice I can tell you right now is randomly generated passwords, there are tons of generated password generators out there. Some applications actually do this natively, then use that and then use a password manager. And then the only password you need to remember is the one for the password manager, just make sure that it’s not an easy password to guess. So this is one way of getting in. So then they take over your account. So now I’m getting messages for and I actually did get a message from the family member. Fortunately, I don’t really read Instagram messages. So if you message me on Instagram, chances are it’s not going to get read. But sure enough, because I found out about the compromise, I went and took a look. And there was this message. And I don’t remember the content of the message now but sure enough, they wanted me to click on a link. And that would probably take me to an Instagram page where I needed to log in, or what looked like an Instagram page to log into. And then they would steal my credentials, I do have two factor authentication turned on. So that’s not going to happen. And in two factor authentication is not foolproof. And we’ll get to that in another podcast. But it is not foolproof. So please don’t rely on it to be the only source of security that you have for your accounts. So this cybersecurity firm is PXm out of New York. And they found that the campaign that we’re reading about here peaked between April and May of this year 2022. But it has been active since September of last year 2021 PII, XM or pixel, I’m not sure which one it is was able to trace the threat actor and map the campaign due to one of the identified phishing pages hosted a link to traffic monitoring app whose dot among US DOT I’m sorry, who’s dot among.us. And it’s H O h, w h o s.am. Union. I’m having a hard time with this. W H O s.amung.us. That was publicly accessible without authentication. So this so one of the pages was being monitored already. And they noticed a peak in the traffic and that was helped. That’s what helped identify it. Supposedly, these people made millions from the ad clicking and I would assume they still more counts and spread these ads even further. And then there’s a list of the campaign server tracker user names and the pageviews. And our you know, there’s one page view over 6 million, there’s a total of 16 million pages viewed. And if these all have ads that were clicking on it. So not only is it fraud, because now the business is paying for those clicks, but also you’re collecting money that you didn’t really earn. So if you go to an affiliate site, and I do have a couple of affiliate sites up, I just not really, it’s not really my focus. And so I make, you know, $100, here or there, nothing serious. And that’s the legitimate way to do it. Or, you know, you you advertise yourself as a shopper for people and you go out and you look for products for people and you send them the link, and the link is an affiliate link, and you have to disclose that you’re doing this, you have to disclose you’re an affiliate, and that you might make a few dollars off of it, you don’t really make a lot, and I don’t really spend a lot of time on it. So
you’d have to do it at a large volume, as isn’t the case here where we’re sending these these messages in Facebook Messenger. And if it’s happening on Facebook Messenger is probably happening on other platforms like Instagram, and Twitter. And you click on the link, and then the person gets, you know, the few pennies or dollars that it is to for that ad click, you know, there’s a screenshot screenshot here of a Walmart survey ad. I don’t know, you know, how much you get for doing that. Or you know, how much the advertiser pays for it and or how much the affiliate marketer in this case, the scammer is getting for it. But if you do this millions of times, even at 10 cents per click 16 million times, it’s still 1.6 million. For mapping, right? Yeah, that’s 1.6 million. So that’s a lot of money. That’s a lot of revenue generated for scammers. And it’s a lot of lost revenue for businesses that otherwise wouldn’t have to pay for those ads, because they’re not legitimate. It’s it’s fraud. And so Google has made a concerted effort to shut that down. Unfortunately, you know, Google is not the only ad platform out there. There are other ad platforms that that are probably not as diligent about these things and don’t really care or, or don’t have a way to track it. So they, you know, $1.6 million paid out to a scammer. You know, the problem with that is, you think, and Walmart can afford it. Yeah, probably. But what if I advertised, I cannot afford extra clicks that don’t lead to anything. And I do occasionally advertise it, I’m very careful about no tracking the clicks to see where they’re coming from, and if they’re legitimate, and, you know, block sources, and so I don’t know where these sources came from, if they’re in the US, or if they’re somewhere else. But you know, you got to be careful when you’re advertising that somebody isn’t fraudulent, clicking on ads and costing you money that you wouldn’t get you shouldn’t have to spend to be honest, it shouldn’t have to be spent. There was a domain seizure against a Colombian man identified as Raphael Dorado. He was one of the people doing this. And I just want to point out as I’m reading this article, even on bleeping computer, they have ads. So I see ads here for Rocket Lawyer for Fox nation horizons, but this is legitimate. So I’m coming to bleeping computer. And these are probably Google. I know, at least some of them are Google ads. And this would be based on my search, previous search history and content of the article, and so forth. But this is legitimate way to make good revenue from ads, you build up this website and bleeping computer is a pretty big site, lots of content, you develop lots of content. And people come to the site and they see an ad that might interest them, and they click on. And that’s the legitimate way to make revenue from advertising. It looks like they’re all Google ads, or maybe not all of them. Most of them are Google ads. So they’re making money from AdSense. And Google has a way to track click fraud. So there’s there’s that now. So what is the point here? I’m not really concerned with whether or not Google tracks ad fraud or whether or not you know, advertisers have to pay extra money for ads that are ads that were served and clicked on that weren’t legitimate. That’s a different topic. And that’s not really the focus of this podcast. What I am concerned with is that you’re getting Facebook and Instagram and Twitter accounts. And other social media accounts compromised because you’re not being careful. There are stories and stories of people getting their accounts stolen. There. are some what are considered high value accounts based on the user name or the number of followers that you have that are targeted. And sometimes, things like swatting are used, which is the which is a method of scaring people into doing things because they send the SWAT team to your house and they say, you know, there’s a situation at the house where there’s a hostage situation or something like that. So the SWAT team shows up. It’s very scary from all accounts that I’ve listened to, it can be very tense and scary situation, not something you would want some subject somebody to.
Before you get to the swatting, if the account is that high value, they will try other methods. And then we’ll search the dark web for previously used credentials. And so it’s important to know that if you have used a credential in the past, or use it on another platform, you should not use it. If it’s a simple password, meaning it’s, you know, one word password or easy to guess. Or it’s all lowercase and easy to crack, or you don’t have two factor authentication turned on and so forth, your account is probably going to get countered, compromised. But even more so if you haven’t received a message from someone. So this happened. And I think I recorded not sure if I did a video on it. But I got a message from someone I hadn’t talked to in years in the person who’s a realtor. And so it came through Facebook message no actually came through Instagram messenger, but it came through my Facebook Messenger, because you know, this is the same company. So things are getting kind of jumbled up now. And he asked about something insurance related. And so he was the person was claiming that he was selling some insurance product or something along those lines, I don’t remember, but I knew that the person was a realtor. And so I played along with it for a little while. And I got the person to play along as well, until I asked how it was going to business or how the new business is gone. And that’s when they started, they started to stumble a little bit because they didn’t realize that I wasn’t going to figure out that it was a scam, probably I don’t know. So I knew the person was a realtor. And I finally question about the real estate and they stopped messaging me, they just cold turkey, Stop messaging me. So I reached out to the person, they don’t even have an Instagram account. They’re not there. And they’re not the kind of person that would message somebody on Facebook either. And I knew that I knew that right from the start. And I hadn’t talked to the person in a long time. So I knew that this was not legit. If you suddenly get messages from people you wouldn’t normally get messages from or you get messages that look abnormal. They’re not the normal stuff that the person would send you. I have ongoing Facebook, message calm conversations about sports, about politics, about current events, all of these things are networking. I know if suddenly somebody sends me a link and say, Hey, check this out. I know it’s not legit, I can tell by the tone of the conversation. If they’ve never messaged you before, it’s probably not legit. If they message you about one thing for months, and then suddenly, they’re changed up to topic, it’s probably not legit to the account probably was compromised. Secure your accounts, make sure you have strong passwords, you have to factor authentication turned on. Don’t let people just randomly grab accounts. Don’t reuse passwords, don’t use simple passwords. Check your online, you know your Dark Web status. If you need help with that just reach out to us, you just go to to our business website, which is an washtech.com and W AJ tech.com. And at the top of the page, there is a free dark web search. You can check your credentials to see if they’ve been exposed. I can tell you almost everybody’s credentials are on the dark web. Unless it’s a newer account or a newer email account, there’s a good chance your stuff is on the dark web. So do you want to check that see what was compromised and if your password was compromised, never ever use that password again. The longer the password, the better the more characters, the better the uppercase, lowercase numbers, and special characters. You need to take everything with a grain of salt. If somebody suddenly messages you out of the blue, even if it’s somebody you know, just think about previous methods of communicating with this person. And what they do challenge the person. If they’re messaging you on Facebook and they’re asking you about something random challenge a person say how do I know you? When did we meet if they can’t answer those questions and it’s probably not who they purport to be. So in the in the incident that I just told you about where the person messaged me from from Instagram to Facebook Messenger it was a clone of his Facebook account made on Instagram and this happens a lot too so they will clone accounts because there’s trust to not write somebody you know, be careful. Just be careful if suddenly you’re getting messages from Instagram, you know for sure the person doesn’t have an Instagram account, or they’ve never messaged you from Instagram before, there’s a good chance it’s scam. In fact, I challenge you with this, if you come across something that doesn’t look legit, or you’re not sure, then reach out to us email support at NW AJ dot tech, and we’ll take a look at it or even go to podcast at the human element dotnet you could send an email to either one of those, we’ll look at it and we’ll tell you what it is.
But let’s let’s crush this problem. Let’s get away from being fished on social engineering. I mean on social media, on email, on text messages on voice calls on websites and all of these things. Let’s crush this problem, through education through challenging the scammers and through recognizing potential fraud. So until next time, stay secure
Transcribed by https://otter.ai