January 18, 2021


“Is it you in the video?” – don’t fall for this Messenger scam

If you’ve ever wondered why cybercriminals are interested in your IM passwords…

…well, it’s not just so they can sneak into your account and snoop through your personal data with a view to abusing it themselves or selling it on to someone else who will.

Access to your account also gives crooks a level of trusted access to your friends and family that makes scams of all sorts much easier to pull off.

Whether it’s pitching a bogus investment plan, luring someone to a fake login page, persuading them to submit an application form for a non-existent job, or simply getting them to waste their money on useless, overpriced, shoddily made tat…

…well, it’s much more likely that a scammer will be able to talk you into clicking a link using a message that actually came from a friend’s account than if they just contacted you out of the blue.

Indeed, many users deliberately limit their “circles of contact” on social media and instant messaging services not just for privacy reasons but also to cut down on the sort of unsolicited messages, spams and scams they endure via email.

A menace to those around you

A scammer with your instant messaging or social media passwords is not only a menace to you, but also to those around you, as one of our readers discovered this evening when he received a note from a friend via Facebook Messenger that said:

https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2020/12/fms-msg-img-640.png

Is it you in the video

From someone you didn’t know, a question like that would fall somewhere between bizarre and creepy, but from a friend, who wouldn’t want to take a look?

There is no video, of course – the black image links to a URL shortening service, which in turn redirects to a URL that pops up what looks like a Facebook login page:

https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2020/12/fms-phish-640.png

The URL (redacted above) clearly has nothing to do with Facebook – it’s a randomly-generated server name on a boutique Hungarian web hosting platform – and, as you can see from the crossed-out padlock icon in the address bar, the site uses HTTP and not HTTPS.

Facebook was an early adopter of HTTPS-for-everything, giving up on HTTP altogether back in 2012, so any page that claims to represent Facebook but doesn’t have HTTPS is an unreconstructed fake.

Unfortunately, putting in your username and password into the fake login page above would submit them to a server running on a low-cost web hosting service in the USA, using a vaguely legitimate-looking domain name that was registered less than a month ago.

Our reader immediately assumed that his friend had himself recently received a similar (perhaps even an identical) message, and had not only clicked through but attempted to login, handing his password to the crooks and thus ensuring that all his contacts would soon be spammed in turn.

After the fake login page

This scam goes even further – whether as a distraction to buy a bit of time before victims realise they’ve been taken in and rush to change their Messenger passwords, or simply to give the crooks a second bite at the cherry, we don’t know.

After entering your password, there’s a short delay, as you might expect whan logging in to any online service, after which the crooks seem to pick from a range of other scams and redirect you to one of them randomly.

These didn’t look as though they were being run by the same criminals, so we’re assuming the message-spamming crooks were simply hoping to collect “affiliate fees” from other criminals in the underground.

These “second redirect” scams varied from specious VPN offers to a range of those “free” phone deals where all you need to do is pay a modest delivery fee (£1.95 in the variants we saw here), thus giving the crooks a believable excuse to collect your credit card details.

What to do?

·         Use 2FA on any account you can. Adding a second factor of authentication means that the crooks can’t phish your password alone and then access your account. 2FA is a minor inconvenience to you, but a major roadblock for cybercrimimals.

·         If you think your friend’s account has been hacked, contact them via some other method. Don’t reply via the very same account that you don’t trust – if it is a scam, you are just tipping off the crooks, who will lie to you and tell you everything is fine.

·         If a friend lets you know your account was hacked, don’t delay. Get into your account as soon as you can (without clicking on any links that anyone just sent you!), assuming you can still access it, and change your password right away so the old password is useless to the criminals.

·         Use a password manager. Password managers help in many ways: you automatically get a different password for every site; you get passwords that are random and can’t be guessed; it’s faster to change your password if you do get hacked; and it’s much harder to get phished because your password manager won’t put the right password into the wrong site.

·         Use an anti-virus with a built-in web filter. Attacks of this sort generally don’t rely on sending malware to your computer, but instead rely on tricking you into uploading secret data like passwords from your computer. A web filter helps stop you landing on fake pages in the first place and therefore shields you from phishing. (Sophos Home has a web filter – there’s a free version for both Windows and Mac.)