Skip to main content

'Copyright Violation' Notices Lead to Facebook 2FA Bypass




Fraudulent Facebook messages allege copyright infringement and threaten to take down pages, unless users enter logins, passwords and 2FA codes.

Scammers have hatched a new way to attempt to bypass two-factor authentication (2FA) protections on Facebook.

Cybercriminals are sending bogus copyright-violation notices with the threat of taking pages down unless the user attempts to appeal. The first step in the “appeal?” The victim is asked to submit a username, password and 2FA code from their mobile device, according to Sophos researcher Paul Ducklin, allowing fraudsters bypass 2FA.

2FA is an added layer of protection on top of a username and password that usually involves sending a unique code to a mobile device, which must be entered to access a platform. But crooks are increasingly finding ways around it.

Ducklin explained in a recent post about his findings that Sophos regularly receives social media copyright infringement scam emails, but this one distinguished itself by launching a plausible attack using fraudulent pages generated on Facebook, giving their phishing emails an added air of legitimacy.

“None of these tactics are new — this scam was just an interesting and informative combination,” Ducklin wrote to Threatpost in an email about his findings. “Firstly, the email is short and simple; secondly, the link in the email goes to a legitimate site, namely Facebook; thirdly, the workflow on the scam site is surprisingly believable.”

The fake Facebook emails offer clues that they’re not legit, but Ducklin points out it’s convincing enough to goad social-media administrators into wanting to gather more information on the supposed copyright violation complaints, which means clicking on the phishing link in the email.

The email’s message threatens to delete the victim’s page unless an appeal is filed within 24 hours.

“You’ll see when you hover over the ‘continue’ [it] does indeed take you to facebook.com,” he said. “The catch is that the Facebook address is the fraudulent page set up to look like an official Facebook page dedicated to handling copyright violation issues.”

From there, even though the linked text looks like clicks are sent to another Facebook page — ostensibly so victims can file an “appeal” — Ducklin looked and found the target URL is different from the linked text. It instead sends the victim to a .CF domain based in the Central African Republic.

“That’s an old trick used by crooks — and even by some legitimate sites,” Ducklin added.

The site was set up temporarily on a cloud web hosting service, which generates an HTTPS certificate once the site is online, making detection a bit trickier, he added.

“The certificate’s validity started at midnight today, and the scam email we received arrived at 01:53 UTC, which is early evening on the West Coast of America, and late evening on the East Coast,” Ducklin wrote. “As you can see, cybercrooks move fast!”

Once on the site, users were asked to enter their password, twice, access the Facebook app on their mobile device and enter in the 2FA code, which is found in the “Settings & Privacy > Code Generator” section of the app. Ducklin wrote this could result in “potentially giving them a one-shot chance to login as you, directly from their server, even if you have 2FA enabled.”

Once they have access to a victim’s Facebook credentials, the attackers can sell off the info on the dark web, use it to hijack or take down pages, hold user data for ransom or even make fraudulent in-app purchases.

Facebook responded to Threatpost’s request for comment, saying the company recommends being careful to not click on any suspicious links, adding if a user does get hacked, they can get help securing their account at facebook.com/hacked. The company added that they recommend using a third-party authenticator app as a primary security method. Facebook also has a list of tips to avoid phishing attempts on its platform.

Is 2FA Broken?


Bypassing 2FA has emerged as a disturbing trend.

Cybercriminal group Rampant Kitten was discovered just last month, after years of operating undetected, to have developed Android malware that gathers 2FA security codes sent to devices in addition to Telegram login information, while launching Google phishing attacks.

At about the same time a trojan called “Alien” targeted banks with a novel notification sniffer which gave scammers the ability to access new device updates, including 2FA codes, to bypass the protection.

In May, another attack on Office 365 attempted to trick users into granting permissions to a rogue application, which would then bypass 2FA protections.

The list of 2FA breaches goes on. It remains up to the user to make sure they don’t fall for these types of phishing scams. Ducklin added that using a web filter and avoiding email requests for login details are also good policies to follow.

“2FA has never been a silver bullet that will eliminate phishing and fraud — but it does make things harder for the crooks, and it gives you one more opportunity to stop and think when you are logging in, ‘Do I really want to put my password and my login code in *on this very site*?” Ducklin said. Always check where emails came from and where web links have taken you — because the only thing worse than being scammed is being scammed and then realizing that the telltale signs were there all along.”

He added, “As any carpenter will tell you: measure twice; cut once.”

Originally published at https://threatpost.com on October 28, 2020.

Comments

Post a Comment

Popular posts from this blog

Ex-Twitter employees accused of spying for Saudi Arabia

Two former employees of Twitter have been charged in the US with spying for Saudi Arabia. The charges, unsealed on Wednesday in San Francisco, allege that Saudi agents sought personal information about Twitter users including known critics of the Saudi government. Court documents  named the two as Ahmad Abouammo, a US citizen, and Ali Alzabarah, from Saudi Arabia. A third person, Saudi citizen Ahmed Almutairi, is also accused of spying. The New York Times says it is the first time that Saudi citizens have been charged with spying inside the United States. What are the charges? The charges allege Mr Almutairi acted as an intermediary between the two Twitter employees and Saudi officials. Ahmad Abouammo appeared in a Seattle court on Wednesday and was remanded in custody pending another hearing due on Friday. He is also charged with falsifying documents and making false statements to the FBI. Mr Abouammo is said to have left his job as a media partnership manager ...
Post a Comment
Read more

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....
Post a Comment
Read more

Microsoft rolls out passwordless login for all Microsoft accounts

  Microsoft is rolling out passwordless login support over the coming weeks, allowing customers to sign in to Microsoft accounts without using a password. The company first allowed commercial customers to rollout passwordless authentication in their environments in March after a breakthrough year in 2020 when Microsoft reported that over 150 million users were logging into their Azure Active Directory and Microsoft accounts without using a password. Rolling out to all Microsoft accounts Starting today, Redmond announced that users are no longer required to have a password on their accounts. Instead, they can choose between the Microsoft Authenticator app, Windows Hello, a security key, or phone/email verification codes to log into Microsoft Edge or Microsoft 365 apps and services. “Now you can remove the password from your Microsoft account and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone o...
Post a Comment
Read more