A new phishing campaign is being carried out against users of Facebook. The scheme targets individuals and relies on abusing the platform’s Trusted Contacts feature in order to trick victims into surrendering personal information.
The attack was first identified by Access Now, a non-profit advocacy group that organizes around the cause of a free and open Internet. While the scam could be launched against anyone with a Facebook account, the organization reports early targets of the attack have been human right defenders and activists from the Middle East and North Africa.
At the heart of the phishing attempt is Facebook’s Trusted Contacts feature. First introduced by the social network in 2013, Trusted Contacts is a system developed to help people regain access to their account when they have been locked out or forgot their password.
When a user has Trusted Contacts enabled, Facebook will ask the person to identity between three and five people. When the user attempts to gain access to their account, Facebook will send part of a code to each one of the designated users, which they are then to pass on to the user. When those partial codes are combined, the user can regain full access to their account.
The threat actors carrying out the phishing attack will send a message through Facebook Messenger through an account they have already compromised so it appears as though it is coming from a friend. In the message, the attacker will ask for help recovering their account and claim that the user is one of their Trusted Contacts.
The attacker then triggers the “I forgot my password feature” for the account of the potential victim. Doing so will send a code to that person that is intended to help them recover their own account. But because they have been primed by the attacker to believe the code is part of the Trusted Contacts system, they surrender the account recovery code.
With that code, the threat actors can then gain access to the victim’s account. That includes full access to any information stored on their account including messages. The attackers can then continue to perpetuate the attack by sending a message through the newly compromised account to the victim’s friends.
There are a number of ways potential victims of this attack can prevent it from happening. First, attempt to confirm with the friend that they are who they claim. Contact the friend on a different platform, either via text or another messaging app.
Also, users are advised to take their time when reacting to urgent messages. Often times, attacks like these rely upon creating a panicked situation in which a person simply reacts rather than thinks about what they are being asked to do. Take a step back and think about the situation before responding.
It’s also worth learning about Facebook’s Trusted Contacts feature and possibly activating it yourself. Knowing about the feature would be an immediate tip off that it doesn’t work as the attacker suggests, and having it activated may help quickly recover an account if hackers find another way in.
Facebook also has a resource for those who believe their account may have been compromised. Anyone who is concerned about such a situation can visit the social network’s Hacked page and follow the instructions on screen to determine if an account is compromised and take action.