We’ve seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We’re now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn’t just some spam mail in your inbox claiming you have received a “private message”.
As of writing, the PM looks like this:
click to enlarge
WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation. Please confirm your Facebook account below:
[URL redacted]
Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them. Below are screenshots of the pages in the order of how they will appear to users:
- The first page is a something most Internet users are conditioned to seeing: a “prompt” telling users what they’re about to do and why they have to do it.
click to enlarge - Clicking the Continue button leads users to the second bit where it asks for their basic personal information and credentials (email and password) used to log in to Facebook.
click to enlarge - Next, users might think that this is is a peculiar one as it asks them to select the webmail service the email address you entered in the previous page is under. For example, if the email you use to sign in on Facebook is a Gmail address, then you have to select “Gmail” from the drop-down option box.
click to enlarge - The fourth page is an interesting one: It asks users to enter only the first six digits of their payment card (debit or credit card) number, regardless of whether they have used their card to buy Facebook Credits or not. Unfortunately, there is no option to skip this part.
In case you’re wondering, the first six digits of a credit or debit card is the Issuer Identification Number (IIN), which identifies the issuer (VISA, MasterCard, American Express, etc.) of the card.
click to enlarge - Just when you think that all that’s needed is the first six digits of their payment card, users find out that they have to give the complete card number after all, and then some more.
click to enlarge
Once all five “verification” pages have been filled out, dear Reader, consider yourself phished and expect your account to send out the same PM you received to your Facebook network.
Unsolicited messages from phishers landing on your private message inbox are no longer limited to Twitter. Despite this old method being used in a different platform, our advice on how to avoid falling for such scams remain the same: Always check the URL to be sure you’re not going to visit a link that is completely unrelated to Facebook-“Think before you click”, remember?; be skeptical about messages claiming to have come from Facebook; lastly, never share the URL to anyone on Facebook or on your other social sites as this only increases the possibility of someone clicking the link and getting phished themselves.
— Jovi Umawing
Leave a reply
