Category Archives: Phishing

Crimeware server used by NetWalker ransomware seized and shut down

It’s taken nearly ten years, but the US Department of Justice (DOJ) has just announced the court-approved seizure of a web domain called LolekHosted.net that was allegedly connected to a wide range of crimeware-as-a-service activities.

The DOJ also charged a 36-year-old Polish man named Artur Karol Grabowski in connection with running the service, but his current whereabouts are unknown.

In the DOJ’s blunt words, “Grabowski remains a fugitive.”

The downed site is still technically online, but now presents a warning notice to visitors:

Bulletproof hosting

Sites of this sort are known in the jargon as bulletproof hosts, whose operators like to claim that they will not only shift around online to resist takedown efforts, but also shield their “customers” from identification even if their assets do get seized.

Indeed, the DOJ alleges that:

Grabowski allegedly facilitated the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement.

Cybercrime activities allegedly enabled by LolekHosted include: ransomware attacks; system penetration attempts via what’s known as brute force attacks (for example, where attackers try logging into thousands of different servers with millions of different passwords each); and phishing.

As you probably know, ransomware criminals typically use anonymous darkweb hosts for contact purposes when they’re “negotiating” their blackmail payoffs.

Those darkweb servers are usually hosted in the largely anonymous Tor network, with server names ending in .onion.

So-called onion addresses aren’t part of the regular internet domain name system (DNS), so they can’t be looked up or traced using conventional tools, and they require ransomware victims to to setup and use a special Tor-enabled browser to access them pseudoanonymously.

In the build-up to an attack, however, and even while the attack is under way, ransomware crooks often need innocently-styled URLs on the regular “brightweb”.

For example, attackers often set up legitimate-looking sites as download repositories for their malware and hacking tools, as jumping-off points for mounting attacks, and as upload servers to which they can exfiltrate stolen files without arousing immediate suspicion.

According to the DOJ, Grabowski’s customers included numerous affiliates of the notorious NetWalker ransomware gang, with LoledHosted servers implicated in:

approximately 50 NetWalker ransomware attacks on victims located all over the world, including in the Middle District of Florida [where Grabowski is being charged]. Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims.

What next?

If caught and convicted, the DOJ says that it is seeking a to recover a whopping $21,500,000 in forfeited funds from Grabowski, a sum that the DOJ claims matches the proceeds of the criminal activities with which he has been charged.

We don’t know what happens if Grabowski gets caught and won’t or can’t come up with the money, but the DOJ also points out that the maximum jail-time penalty he faces if convicted on all charges (for all that maxiumum sentences are rarely imposed) comes to 45 years.


T-Mobile admits to 37,000,000 customer records stolen by “bad actor”

US mobile phone provider T-Mobile has just admitted to getting hacked, in a filing known as an 8-K that was submitted to the Securities and Exchange Commission (SEC) yesterday, 2023-01-19.

The 8-K form is described by the SEC itself as “the ‘current report’ companies must file […] to announce major events that shareholders should know about.”

These major events include issues such as bankruptcy or receivership (item 1.03), mine safety violations (item 1.04), changes in a organisations’s code of ethics (item 5.05), and a catch-all category, commonly used for reporting IT-related woes, dubbed simply Other Events (item 8.01).

T-Mobile’s Other Event is described as follows:

On January 5, 2023, T-Mobile US […] identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time.

In plain English: the crooks found a way in from outside, using simple web-based connections, that allowed them to retrieve private customer information without needing a username or password.

T-Mobile first states the sort of data it thinks attackers didn’t get, which includes payment card details, social security numbers (SSNs), tax numbers, other personal identifiers such as driving licences or government-issued IDs, passwords and PINs, and financial information such as bank account details.

That’s the good news.

The bad news is that the crooks apparently got in way back on 2022-11-25 (ironically, as it happens, Black Friday, the day after US Thanksgiving) and didn’t go away empty-handed.

Plenty of time for plunder

The attackers, it seems, had enough time to extract and make off with at least some personal data for about 37 million users, including both prepaid (pay-as-you-go) and postpaid (billed-in-arrears) customers, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

Curiously, T-Mobile officially describes this state of affairs with the words:

[T]here is currently no evidence that the bad actor was able to breach or compromise our systems or our network.

Affected customers (and perhaps the relevant regulators) may not agree that 37 million stolen customer records, notably including where you live and your data of birth…

…can be waved aside as neither a breach nor a compromise.

T-Mobile, as you may remember, paid out a whopping $500 million in 2022 to settle a breach that it suffered in 2021, although the data stolen in that incident did include information such as SSNs and driving licence details.

That sort of personal data generally gives cybercriminals a greater chance of pulling off serious identity thefts, such as taking out loans in your name or masquerading as you to sign some other sort of contract, than if they “only” have your contact details and your date of birth.



What to do?

There’s not much point in suggesting that T-Mobile customers take greater care than usual when trying to spot untrustworthy emails such as phishing scams that seem to “know” they’re T-Mobile users.

After all, scammers don’t need to know which mobile phone company you’re with in order to guess that you probably use one of the major providers, and to phish you anyway.

Simply put, if there any new anti-phishing precautions you decide to take specifically because of this breach, we’re happy to hear it…

…but those precautions are behaviours you might as well adopt anyway.

So, we’ll repeat our usual advice, which is worth following whether you’re a T-Mobile customer or not:

  • Don’t click “helpful” links in emails or other messages. Learn in advance how to navigate to the official login pages of all the online services you use. (Yes, that includes social networks!) If you already know the right URL to use, you never need to rely on links that might have been supplied by a scammers, whether in emails, text messages, or voice calls.
  • Think before you click. It’s not always easy to spot scam links, not least because even legitimate services often use dozens of different website names. But at least some, if not many, scams include the sort of mistakes that a genuine company typically wouldn’t make. As we suggest in Point 1 above, try to avoid clicking through at all, but if you do, don’t be in a hurry. The only thing worse that falling for a scam is realising afterwards that, if only you’d taken a few extra seconds to stop and think, you’d have spotted the treachery easily.
  • Report suspicious emails to your work IT team. Even if you’re a small business, make sure all your staff know where to submit treacherous email samples or to report suspicious phone calls (for example, you could set up a company-wide email address such as cybersec911@example.com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.

Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do? Not sure how to respond to security reports from employees who are genuinely keen to help?

Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶


“Suspicious login” scammers up their game – take care at Christmas

Black Friday is behind us, that football thing they have every four years is done and dusted (congratulations – spoiler alert! – to Argentina), it’s the summer/winter solstice (delete as inapplicable)…

…and no one wants to get locked out of their social media accounts, especially when it’s the time for sending and receiving seasonal greetings.

So, even though we’ve written about this sort of phishing scam before, we thought we’d present a timely reminder of the kind of trickery you can expect when crooks try to prise loose your social media passwords.

We clicked through for you

Because a picture is supposed to be worth 1024 words, we’ll be showing you a sequence of screenshots from a recent social media scam that we ourselves received.

Simply put, we clicked through so you don’t have to.

This one started with an email that pretends to be looking out for your online safety and security, though it’s really trying to undermine your cybersecurity completely:

Even though you may have received similar-looking emails from one or more of your online account providers in the past, and even though this one doesn’t have any glaring spelling or grammatical errors…

…if fact, even if this really were a genuine email from Instagram (it isn’t!), you can protect yourself best simply by not clicking on any links in the email itself.

If you have your own bookmark for Instagram’s help pages, researched and saved when you weren’t under any cybersecurity pressure, you can simply navigate to Instagram directly, all by yourself.

That way, you neatly avoid any risk of being misdirected by the blue text (the clickable link) in the email, no matter whether it’s real or fake, working or broken, safe or dangerous.

The trouble with clicking through

If you do click through, perhaps because you’re in a hurry, or you’re worried about what might have happened to your account…

…well, that’s when the trouble starts, with a fake page that looks realistic enough.

The crooks are pretending that someone, presumably someone enjoying a vacation of their own in Paris, tried to login to your account:

You ought to be suspicious of the server name that shows up in the address bar in this scam (we’ve redacted it here, though it wasn’t anything like instagram.com), but we can understand why so many users get caught out by fake domains.

That’s because lots of legitimate online services make it as good as impossible to know what to expect in your address bar these days, as Sophos expert (and popular Naked Security podcast guest) Chester Wisniewski explained back in Cybersecurity Awareness Month:

In this scam, whether you click [This wasn't me] or [This was me], the crooks take you down the same path, asking first for your username:

The wording has started to get a bit clumsy on the next screen, where the crooks are going for your password, but it’s still believable enough:

A fake mistake

The scammers then pretend you made a mistake, asking you not only to type in your password a second time, but also to add a tiny bit more personal information about your location:

Not every phishing scam of this sort uses the “your password is wrong” trick, but it’s quite common.

We suspect that the crooks do this because there’s dubious security advice still going around that says, “You can easily detect a scam site by deliberately putting in a fake password first; if the site lets you in anyway, then obviously the site doesn’t know your real password.”

If you follow this advice (please don’t – it only ever gives you a false sense of security), you might jump to the dangerous conclusion that the site must surely know your real password, and must therefore be genuine, given that it seems to know that you put in the wrong password.

Of course, the crooks can safely say that you got your password wrong the first time, even if you didn’t.

If you deliberately got your password wrong, the crooks can simply pretend to “know” it was wrong in order to trap you into continuing with the scam.

But if you’re sure you really did put in the right password, and therefore the fake error message makes you suspicious…

…it’s too late, because the crooks have already scammed you.

One last question

If you keep going, then the crooks try to squeeze you for one more piece of personal information, namely your phone number:

And to let you out of the scam gently, the crooks finish off by redirecting you to the genuine Instagram home page, as if to invite you to confirm that your account still works correctly:

What to do?

  • Keep a record of the official “verify your account” and “how to deal with infringement challenges” pages of the social networks you use. That way, you never need to rely on links sent via email to find your way there in future. As well as fake login warnings like the one shown here, attackers often use concocted copyright violations, made-up breaches of your account’s Terms and Conditions, and other fake “problems” with your account.
  • Pick proper passwords. Don’t use the same password as you do on any other sites. If you think you may have given away your password on a fake site, change it as soon as you can before the crooks do. Consider using a password manager if you don’t have one already.
  • Turn on 2FA (two-factor authentication) if you can. This means that your username and password alone will not be enough to login, because you will need to include a one-time code, either every time, or perhaps only when you first try to use a new device. Although this doesn’t guarantee to keep the crooks out, because they may try to trick you into revealing your 2FA code as well as your password, it nevertheless makes things harder for an attacker.
  • Don’t overshare. As much as it seems to be common to share a lot of your life on Instagram nowadays, you don’t have to give away everything about yourself. Also, think about who or what is in the background of your photos before you upload them, in case you overshare information about your friends, family or household by mistake.
  • Stay vigilant. If an account or message seems suspicious to you, do not interact or reply to the account and do not click on any links they send you. If something seems too good to be true, assmue that it IS too good to be true.
  • Consider setting your Instagram account to private. If you aren’t trying to be an influencer whom everyone can see, and if you use Instagram more as a messaging platform to keep touch with your close friends than as a way to tell the world about yourself, you may want to make your account private. Only your followers will be able to see yout photos and videos. Review your list of followers regularly and kick off people you don’t recognise or don’t want following you any more.
Left. Use ‘Privacy’ option on the Instagram Settings page to make your account private.
Right. Toggle the ‘Private account’ slider on.
  • If in doubt, don’t give it out. Never rush to complete a transaction or confirm personal information because a message has told you you’re under time pressure. If you aren’t sure, ask someone you know and trust in real life for advice, so you don’t end up trusting the sender of the very message you aren’t sure you can trust. (And see the first tip above.)

Voice-scamming site “iSpoof” seized, 100s arrested in massive crackdown

These days, most of us have telephones that display the number that’s calling before we answer.

This “feature” actually goes right back to the 1960s, and it’s known in North American English as Caller ID, although it doesn’t actually identify the caller, just the caller’s number.

Elsewhere in the English-speaking world, you’ll see the name CLI used instead, short for Calling Line Identification, which seems at first glance to be a better, more precise term.

But here’s the thing: whether you call it Caller ID or CLI, it’s no more use in identifying the caller’s actual phone number than the From: header in an email is at identifying the sender of an email.

Show what you like

Loosely speaking, a scammer who knows what they’re doing can trick your phone into displaying almost any number they like as the source of their calls.

Let’s think through what that means.

If you get an incoming call from a number you don’t recognise, it almost certainly hasn’t been made from a phone that belongs to anyone you know well enough to have in your contact list.

Therefore, as a cybersecurity measure aimed at avoiding calls from people you don’t wish to hear from, or who could be scammers, you could use the jargon phrase low false positive rate to describe the effectiveness of CLI.

A false positive in this context represents a call from someone you do know, calling from a number it would be safe to trust, being misdetected and wrongly blocked because it’s a number you don’t recognise.

That sort of error is unlikely, because neither friends nor scammers are likely to pretend to be someone you don’t know.

But that usefulness only works in one direction.

As a cybersecurity measure to help you identify callers you do trust, CLI has an extreme false negative problem, meaning that if a call pops up from Dad, or Auntie Gladys, or perhaps more significantly, from Your Bank

…then there’s a significant risk that it’s a scam call that’s deliberately been manipulated to get past your “do I know the caller?” test.

No proof of anything

Simply put: the numbers that show up on your phone before you answer a call only ever suggest who’s calling, and should never be used as “proof” of the caller’s identity.

Indeed, until earlier this week, there was an online crimeware-as-a-service system available via the unapologetically named website ispoof.cc, where would-be vishing (voice phishing) criminals could buy over-the-internet phone services with number spoofing included.

In other words, for a modest initial outlay, scammers who weren’t themselves technical enough to set up their own fraudulent internet telephony servers, but who had the sort of social engineering skills that helped them to charm, or mislead, or intimidate victims over the phone…

…could nevertheless show up on your phone as the tax office, as your bank, as your insurance company, as your ISP, or even as the very telephone company you were buying your own service from.

We wrote “until earlier this week” above because the iSpoof site has now been seized, thanks to a global anti-cybercrime operation involving law enforcement teams in at least ten different countries (Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK and the USA):

Megabust conducted

Seizing a clearweb domain and taking its offerings offline often isn’t enough on its own, not least because the criminals, if they remain at large, will often still be able to operate on the dark web, where takedowns are much harder due to the difficulty of tracking down where the servers actually are.

Or the crooks will simply pop up again with a new domain, perhaps under a new “brand name”, serviced by an even less scrupulous hosting company.

But in this case, the domain seizure was shortly preceded by a large number of arrests – 142, in fact, according to Europol:

Judicial and law enforcement authorities in Europe, Australia, the United States, Ukraine, and Canada have taken down a website that allowed fraudsters to impersonate trusted corporations or contacts to access sensitive information from victims, a type of cybercrime known as ‘spoofing’. The website is believed to have caused an estimated worldwide loss in excess of £100 million (€115 million).

In a coordinated action led by the United Kingdom and supported by Europol and Eurojust, 142 suspects have been arrested, including the main administrator of the website.

More than 100 of those arrests were in the UK alone, according to London’s Metropolitan Police, with up to 200,000 UK victims getting ripped off for many millions of pounds:

iSpoof allowed users, who paid for the service in Bitcoin, to disguise their phone number so it appeared they were calling from a trusted source. This process is known as ‘spoofing’.

Criminals attempt to trick people into handing over money or providing sensitive information such as one-time passcodes to bank accounts.

The average loss from those who reported being targeted is believed to be £10,000.

In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.

Of those, 350,000 calls lasted more than one minute and were made to 200,000 individuals.

According to the BBC, the alleged ringleader was a 34-year-old by the name of Teejai Fletcher, who has been remanded in custody pending a court appearance in Southwark, London, on 2022-12-06.

What to do?

  • TIP 1. Treat caller ID as nothing more than a hint.

The most important thing to remember (and to explain to any friends and family you think might be vulnerable to this sort of scam) is this: THE CALLER’S NUMBER THAT SHOWS UP ON YOUR PHONE BEFORE YOU ANSWER PROVES NOTHING.

Those caller ID numbers are nothing better than a vague hint of the person or the company that seems to be calling you.

When your phone rings and names the call with the words Your Bank's Name Here, remember that the words that pop up come from your own contact list, meaning no more than that the number provided by the caller matches an entry you added to your contacts yourself.

Put another way, the number associated with an incoming call provides no more “proof of identity” than the text in the Subject: line of an email, which contains whatever the sender chose to type in.


  • TIP 2. Always initiate official calls yourself, using a number you can trust.

If you genuinely need to contact an organisation such as your bank by phone, make sure that you initiate the call, and use a number than you worked out for yourself.

For example, look at a recent official bank statement, check the back of your bank card, or even visit a branch and ask a staff member face-to-face for the official number that you should call in future emergencies.


  • TIP 3. Don’t let coincidence convince you a call is genuine.

Never use coincidence as “evidence” that the call must be genuine, such as assuming that the call “must surely” be from the bank simply because you had some annoying trouble with internet banking this very morning, or paid a new supplier for the first time just this afternoon.

Remember that the iSpoof scammers made at least 3,500,000 calls in the UK alone (and 6.5M calls elsewhere) over a 12-month period, with scammers placing an average of one call every three seconds at the most likely times of the day, so coincidences like this aren’t merely possible, they’re as good as inevitable.

These scammers aren’t aiming to scam 3,500,000 people out of £10 each… in fact, it’s much less work for them to scam £10,000 each out of a few thousand people, by getting lucky and making contact with those few thousand people at the very moment when they are at their most vulnerable.


  • TIP 4. Be there for vulnerable friends and family.

Make sure that friends and family whom you think could be vulnerable to being sweet-talked (or browbeaten, confused and intimidated) by scammers, no matter how they’re first contacted, know that they can and should turn to you for advice before agreeing to anything over the phone.

And if anyone asks them to do something that’s clearly an intrusion of their personal digital space, such as installing Teamviewer to let them onto the computer, reading out a secret access code off the screen, or telling them a personal identification number or password…

…make sure they know it’s OK simply to hang up without saying a single word further, and getting in touch with you to check the facts first.


Oh, one more thing: the London cops have said that in the course of this investigation, they acquired a database file (we’re guessing it’s from some sort of call logging system) containing 70,000,000 rows, and that they’ve identified a whopping 59,000 suspects, of whom somewhere north of 100 have already been arrested.

Clearly, those suspects aren’t as anonymous as they might have thought, so the cops are focusing first on “those who have spent at least £100 of Bitcoin to use the site.”

Scammers lower down the pecking order may not be getting a knock on the door just yet, but it might just be a matter of time…


LEARN MORE ABOUT THE DIVERSIFICATION OF CYBERCRIME, AND HOW TO FIGHT BACK EFFECTIVELY, IN OUR THREAT REPORT PODCAST

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

Full transcript for those who prefer reading to listening.

With Paul Ducklin and John Shier.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


How social media scammers buy time to steal your 2FA codes

Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

  • Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
  • With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

  • Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:
    The unsolicited email “warning” that starts it all.
  • Lure you to a real page with a facebook.com URL. The account is fake, set up entirely for this particular scam campaign, but the link that shows up in the email you receive does indeed lead to facebook.com, making it less likely to attract suspicion, either from you or from your spam filter. The crooks have titled their page Intellectual Property (copyright complaints are very common these days), and have used the offical logo of Meta, the parent company of Facebook, in order to add a touch of legitimacy:
    A fraudulent user account page with an official-looking name and icon.
  • Provide you with a URL to contact Facebook to appeal against cancellation. The URL above doesn’t end in facebook.com, but it starts with text that makes it looks like a personalised link of the form facebook-help-nnnnnn, where the crooks claim that the digits nnnnnn are a unique identifier that denotes your specific case:
    The phishing site pretends to bea “personalised” page about your complaint.
  • Collect largely innocent-sounding data about your Facebook presence. There’s even an optional field for Additional info where you’re invited to argue your case. (See image above.)

Now “prove” yourself

At this point, you need to provide some proof that you are indeed the owner of the account, so the crooks then tell you to:

  • Authenticate with your password. The site you’re on has the text facebook-help-nnnnnnn in the address bar; it uses HTTPS (secure HTTP, i.e. there’s a padlock showing); and the branding makes it look similar to Facebook’s own pages:
    The crooks ask you to “prove” your ID via your password.
  • Provide the 2FA code to go with your password. The dialog here is very similar to the one used by Facebook itself, with the wording copied directly from Facebook’s own user interface. Here you can see the fake dialog (top) and the real one that would be displayed by Facebook itself (bottom):
    Then they ask for your 2FA code, just like Facebook would.
    The real 2FA dialog used by Facebook itself.
  • Wait up to five minutes in the hope that the “account block” may be removed automatically. The crooks play both ends here, by inviting you to leave well alone in order not to interrupt a possible immediate resolution, and suggesting that you should stay on hand in case further information is requested:
The crooks try to buy time with a simple 5-minute progress bar.

As you can see, the likely result for anyone who got sucked into this scam in the first place is that they’ll give the crooks a full five-minute window during which the attackers can try logging into their account and taking it over.

The JavaScript used by the criminals on their booby-trapped site even appears to contain a message that can be triggered if the victim’s password works correctly but the 2FA code they supplied doesn’t:

 The login code you entered doesn't match the one sent to your phone. Please check the number and try again.

The end of the scam is perhaps the least convincing part, but it nevertheless serves to shift you automatically off the scammy site and to land you back somewhere entirely genuine, namely Facebook’s official Help Center:

Finally, the crooks redirect you to a legitimate Facebook help page.

What to do?

Even if you aren’t a particularly serious social media user, and even if you operate under a pseudonym that doesn’t obviously and publicly link back to your real-life identity, your online accounts are valuable to cybercriminals for three main reasons:

  • Full access to your social media accounts could give the crooks access to the private aspects of your profile. Whether they sell this information on the dark web, or abuse it thesmselves, its compromise could increase your risk of identity theft.
  • The ability to post via your accounts lets the crooks peddle misinformation and fake news under your good name. You could end up kicked off the platform, locked out of your account, or in public trouble, unless and until you can show that your account was broken into.
  • Access to your chosen contacts means the crooks can aggressively target your friends and family. Your own contacts are not only much more likely to see messages that come from your account, but also more likely to take a serious look at them.

Simply put, by letting cybercriminals into your social media account, you ultimately put not just yourself but also your friends and family, and even everyone else on the platform, at risk.

What to do?

Here are three quick-fire tips:

  • TIP 1. Keep a record of the official “unlock your account” and “how to deal with intellectual property challenges” pages of the social networks you use. That way, you never need to rely on links sent via email to find your way there in future. Common tricks used by attackers include concocted copyright infringements; made-up infringements of Terms and Conditions (as in this case); bogus claims of fraudulent logins you need to review; and other fake “issues” with your account. The crooks often include some time pressure, as in the 24-hour limit claimed in this scam, as further encouragement to save time by simply clicking through.
  • TIP 2. Don’t be tricked by the fact that the “click-to-contact” links are hosted on legitimate sites. In this scam, the initial contact page is hosted by Facebook, but it’s a fraudulent account, and the phishing pages are hosted, complete with a valid HTTPS certificate, via Google, but the content that’s served up is bogus. These days, the company hosting the content is rarely the same as the individuals creating and posting it.
  • TIP 3. If in doubt, don’t give it out. Never feel pressured to take risks to complete a transaction quickly because you’re afraid of the outcome if you take time to stop, to think, and only then to connect. If you aren’t sure, ask someone you know and trust in real life for advice, so you don’t end up trusting the sender of the very message you aren’t sure you can trust. (And see TIP 1 above.)

Remember, with Black Friday and Cyber Monday coming up this weekend, you’ll probably be receiving lots of genuine offers, plenty of fraudulent ones, and any number of well-meant warnings about how to improve your cybersecurity specifically for this time of year…

…but please keep in mind that cybersecurity is something to take seriously all year round: start yesterday, do it today, and keep it up tomorrow!


go top