{"id":33707,"date":"2024-06-11T21:42:12","date_gmt":"2024-06-11T10:42:12","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/facebook-scam-24-hours-are-left-ro-request-review-see-why\/33707\/"},"modified":"2024-06-11T21:42:16","modified_gmt":"2024-06-11T10:42:16","slug":"facebook-scam-24-hours-are-left-ro-request-review-see-why","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/facebook-scam-24-hours-are-left-ro-request-review-see-why\/33707\/","title":{"rendered":"Phishing using FB infrastructure stealing business-account passwords"},"content":{"rendered":"

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now they\u2019ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what measures to take to protect business accounts on social networks.<\/p>\n

Anatomy of the phishing attack on Facebook business accounts<\/h2>\n

\nIt all starts with a message sent by the social network itself to the email address linked to the victim\u2019s Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: \u201c24 Hours Left To Request Review. See Why.\u201d<\/p>\n

\"Email<\/a>

Email with a fake warning about account problems, sent by Facebook itself<\/p><\/div>\n

Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications.<\/p>\n

Either way, they\u2019ll end up on Facebook. After all, the email is real, so the buttons really do point to the social network\u2019s site. A notification is waiting there \u2014 with the now familiar orange icon and same threatening words: \u201c24 Hours Left To Request Review. See Why.\u201d<\/p>\n

\"Phishing<\/a>

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service<\/p><\/div>\n

The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account.<\/p>\n

If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms \u2014 we found at least one \u201clocation\u201d on Instagram with the same name: \u201c24 Hours Left To Request Review. See Why.\u201d<\/p>\n

\"Phishing<\/a>

On a phishing page outside Facebook, the victim is prompted to appeal the block<\/p><\/div>\n

After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth.<\/p>\n

\"Phishing<\/a>

] The second screen asks the victim to enter certain personal data<\/p><\/div>\n

It\u2019s the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, it\u2019s this data that the attackers are after.<\/p>\n

\"Phishing<\/a>

The attackers don\u2019t waste any time in requesting your Facebook account credentials<\/p><\/div>\n

How the phishing scheme exploits real Facebook infrastructure<\/h2>\n

\nNow let\u2019s see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: \u201c24 Hours Left To Request Review. See Why.\u201d They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification.<\/p>\n

\"Hijacked<\/a>

Attackers change the name and profile picture of the hijacked Facebook account<\/p><\/div>\n

That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victim\u2019s page appears after a few dozen empty lines. By default it\u2019s hidden, but on clicking the \u201cSee more\u201d link in the phishing post, the mention becomes visible.<\/p>\n

\"Cybercriminal<\/a>

The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post<\/p><\/div>\n

Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts.<\/p>\n

\"Bulk<\/a>

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization<\/p><\/div>\n

As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients.<\/p>\n

How to protect business social media accounts from hijacking<\/h2>\n

\nWe should note that phishing isn\u2019t the only threat to business accounts. There exists an entire class of malware specially created for password theft<\/a>; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions \u2014 see our recent post about their use in hijacking Facebook business accounts<\/a>.<\/p>\n

Here\u2019s what we recommend for protecting the social media accounts of your business:\n<\/p>\n