{"id":17933,"date":"2021-01-26T06:21:14","date_gmt":"2021-01-26T11:21:14","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/facebook-account-hijack-through-notes\/17933\/"},"modified":"2021-01-26T17:24:26","modified_gmt":"2021-01-26T13:24:26","slug":"facebook-account-hijack-through-notes","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/facebook-account-hijack-through-notes\/17933\/","title":{"rendered":"Fake copyright violation notice aimed at stealing Facebook accounts"},"content":{"rendered":"

The latest phishing campaign aimed at stealing Facebook accounts is gathering momentum. Users are receiving mass e-mails threatening bans for copyright violation. The aim is to steal the users\u2019 login credentials. We explain the anatomy of the new scheme and how not to swallow the bait.<\/p>\n

Who, me?<\/h2>\n

The message says something like: \u201cYour Facebook account has been disabled for violating the Facebook Terms. If you believe that this decision is incorrect, you may file an appeal at this link.\u201d<\/p>\n

What could the problem be? A video you posted last year of your friends dancing to a hit song? Could that really be it? Well, maybe: The link does lead to a notice about music copyright infringement. The address of the page is facebook.com, and the notification page contains a link to an appeal form. So far, seems plausible.<\/p>\n

Afraid of losing your account and without seeing any red flags in the link address, you might even enter your full name and username, as requested. Next, however, is a request no one should mindlessly obey: \u201cFor your own security, please enter your password.\u201d<\/p>\n

And \u2026 scene. Your login and password (i.e., your entire account) now belongs to cybercriminals.<\/p>\n

We\u2019ve said it before and we\u2019ll say it again: Don\u2019t follow links in suspicious e-mails. Even the savviest users can get caught off-guard by a well-written, well-designed message that gets through the spam filter, contains what looks like a good link, and generally seems legitimate.<\/p>\n

What\u2019s the trick?<\/h2>\n

On closer inspection, the scam isn\u2019t really that clever. At every stage, there are warning signs. What\u2019s important is to stay calm and alert. Panic can lead even cautious people down dangerous paths.<\/p>\n

Let\u2019s start with the e-mail. First, the text itself gives the scammers away. Although it lacks the kind of egregious language errors we often see in spam, anyone familiar with Facebook\u2019s communications will note that the letter doesn\u2019t read quite right. Then, to trick spam filters, attackers introduce small intentional typos into the body of the e-mail. In this case, they used the old upper-case-I-instead-of- lower-case-L trick. If your mail client uses a serif font, the substitution is easy to spot.<\/p>\n

\"Here's<\/a>

Here\u2019s how the message looks if the mail client uses a serif font. The substituted letters give the scammers away<\/p><\/div>\n

If the font is sans-serif, you may not detect that sort of change. So, let\u2019s move on to the next clue. Pay attention to the sender\u2019s address. The name says Facebook, but the actual address (shown in some clients in a nondescript gray color, unfortunately) has nothing to do with the social network. Official Facebook notifications would never come from an address like this one.<\/p>\n

\"If<\/a>

If your mail client uses a sans-serif font, lower-case L and upper-case i look identical, but the sender\u2019s address betrays its origin: not Facebook<\/p><\/div>\n

Now, the link in the e-mail does point to Facebook. As we mentioned, that\u2019s another trick designed to fool spam filters \u2014 and you. But the page does not contain an official notice; it\u2019s a note<\/em>. Until last October<\/a>, any user could create one using Facebook Notes. At the time of this writing, the tool has been disabled, but old notes are still accessible. At the top of the page is the username, which in this case looks plausibly legit: Case #5918694.<\/p>\n

\"The<\/a>

The address bar reveals that the text is someone\u2019s Facebook note<\/p><\/div>\n

The link is external but disguised as internal. Hovering over it, we can see that it redirects from Facebook to an outside website that has been shortened using Bitly.<\/p>\n

\"The<\/a>

The address of the link is visible in the lower left corner. At first glance, it might seem internal, but it points to an external resource via bit.ly<\/p><\/div>\n

The link opens a form that asks for the e-mail address or phone number linked to your Facebook account. The page address looks a bit like Facebook\u2019s, but a closer look reveals that it has nothing to do with the social network.<\/p>\n

\"The<\/a>

The address bar shows \u201c.com\u201d followed by a random set of numbers<\/p><\/div>\n

Click the Send button and a password entry form pops up. It\u2019s the final play; enter a real password in this field and it\u2019s game, set, and match to the cybercriminals.<\/p>\n

\"Finally,<\/a>

Finally, the password entry form<\/p><\/div>\n

How to protect your Facebook account from hijacking<\/h2>\n

You can thwart most phishing campaigns (not just Facebook ones) by following these simple rules.<\/p>\n