Hackers Are Stealing Facebook Accounts With Malicious Messenger Bots

Researchers at Trustwave have shed light on a recently discovered phishing campaign revolving around Facebook Messenger bots.

If you don’t spend much time on social media, chatbots are programs designed to impersonate live people and are usually relegated the task of answering simple questions as a form of triage customer support.

If the bot can’t answer the question, then a handoff escalation is made to a human customer support person.

That’s how it’s supposed to work, anyway.  This newly discovered campaign abuses chatbots.

Here’s how they’re structuring the campaign:

The first step is to send an email out to an individual concerning their Facebook page, generally claiming that the page has violated some portion of Facebook’s Community Standards and giving the email recipient 48 hours to appeal the decision or risk their page being deleted.

Naturally, this is mortifying to most people, who will rush to resolve the issue.

That’s exactly what the phishers are counting on.  By “helpfully” providing a link or button embedded in the email which connects them to a chatbot, but one that the scammers control.

By all appearances, the email recipient is connected to a member of Facebook’s customer support team.  It is in fact a chatbot controlled by the scammers.

The fake customer support person will basically regurgitate the information contained in the email and then will send the victim a message containing an “Appeal Now” button.

Clicking this button takes the victim to a website disguised as the “Facebook Support Inbox.” At this point, only an observant potential victim will see through the ruse as the inbox domain is in no way associated with Facebook. Others may easily miss it.

If the victim doesn’t see through the ruse, he or she will be asked to input a variety of information on a form.  When this form is submitted, a pop-up box appears asking the user to re-enter their Facebook password, and that’s the hook.

Everything up to this point has been bait designed to get the potential victim to give up their password.

Even if you’re not personally on Facebook, make sure everyone you know who is knows about this scam.  If we can help even one person avoid being taken in, that’s a victory.