+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Scammers are using Facebook's 'Notes' feature in a clever trick to fool people into giving up their passwords

Dec 17, 2019, 01:34 IST
AP Photo/Andrew HarnikFacebook CEO Mark Zuckerberg testifies before a House Financial Services Committee hearing on Capitol Hill in Washington, Wednesday, Oct. 23, 2019.
  • A clever Facebook scamming attempt makes use of the social network's "Notes' feature.
  • People are writing notes that imitate official Facebook copyright warnings, then using them to trick users into giving up their passwords.
  • There is a constant arms race between tech company security teams and scammers, hackers, and fraudsters trying to exploit their users.

Scammers have a crafty way to try to trick users into giving up their Facebook passwords - and they're using the social network itself to pull it off.

The phishing attempt tries to scare users by thinking their Facebook pages are at risk of being taken down for copyright reasons, and uses Facebook's "Notes" tool to make the hoax more legitimate.

It's another example of how scammers, hackers, and fraudsters are in a constant arms race with tech companies in their attempts to exploit the companies users', and how even the companies' own products can be co-opted to deceive people.

Advertisement

Business Insider found the phishing attempt when it was sent to our tips email, so here's how it works.

First, a user receives an email purporting to be from Facebook, warning them that their Facebook page was flagged by an unspecified "third party" and is at risk of being taken down.

"We received a report from a third party that the content you posted on your page infringes or otherwise violates their rights," the warning reads. "You manage a Page representing a company, organization or other entity that we have reason to believe you are not authorized to represent."

BIAnother clue it's fake: Okta is an independent company, rather than a service owned by Facebook.

It then invites users to follow a link to verify their identity, and this is the part that distinguishes it from a more rudimentary phishing attempt. Normally, the scammers might redirect the user to a website imitating Facebook - but instead, the user is taken directly to the real Facebook, to a Note that imitates an official copyright complaint.

It looks official, the user can see they're logged in and definitely on the real Facebook, and the note author is the generically named page "Policy Issues." If the user isn't very familiar with Facebook's user interface and Notes tool, it'd be easy to assume this is an official, Facebook-sanctioned warning - rather than an unauthorized imitation.

BI

The user is then told to follow a second link to continue the appeal process. This appears to be another official Facebook link, but it disguises a bit.ly short link that takes the user to facebook.com.fbmailcopyrights.com, a phony site pretending to be the real Facebook.

BI

The user is then asked to fill in various details, including their name, page name, and email address. Their password isn't requested until the last minute, in a realistic-looking "security" prompt after they hit send.

BI

Once the user does that, their account is compromised.

Using two-factor authentication - a security measure that requires entry of a code sent to a user's device before the login process finishes - can help mitigate some risk, by ensuring the phishers aren't able to access the user's account (though the password is still compromised). Users should also avoid re-using passwords, to ensure that if they accidentally expose the password for an account on one service their accounts elsewhere aren't at risk too. And before entering sensitive information, always make sure to check the URL to ensure the website is the real deal - rather than just a clever pretender.

A Facebook spokesperson said that the company had disabled the page behind the fraudulent note. In a statement, they said: ""We encourage people to report suspicious messages and posts like this one, and we educate people about keeping their account secure, including by not using their Facebook password anywhere else online. More information is available in our Help Center: facebook.com/help/phishing."

Advertisement

Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.)

Read more:

NOW WATCH: Watch Jeff Bezos' Blue Origin rocket go to space and land back on Earth

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article