Sophos Cloud Optix
If you’ve ever wondered why cybercriminals are interested in your IM passwords…
…well, it’s not just so they can sneak into your account and snoop through your personal data with a view to abusing it themselves or selling it on to someone else who will.
Access to your account also gives crooks a level of trusted access to your friends and family that makes scams of all sorts much easier to pull off.
Whether it’s pitching a bogus investment plan, luring someone to a fake login page, persuading them to submit an application form for a non-existent job, or simply getting them to waste their money on useless, overpriced, shoddily made tat…
…well, it’s much more likely that a scammer will be able to talk you into clicking a link using a message that actually came from a friend’s account than if they just contacted you out of the blue.
Indeed, many users deliberately limit their “circles of contact” on social media and instant messaging services not just for privacy reasons but also to cut down on the sort of unsolicited messages, spams and scams they endure via email.
A menace to those around you
A scammer with your instant messaging or social media passwords is not only a menace to you, but also to those around you, as one of our readers discovered this evening when he received a note from a friend via Facebook Messenger that said:
Is it you in the video
From someone you didn’t know, a question like that would fall somewhere between bizarre and creepy, but from a friend, who wouldn’t want to take a look?
There is no video, of course – the black image links to a URL shortening service, which in turn redirects to a URL that pops up what looks like a Facebook login page:
The URL (redacted above) clearly has nothing to do with Facebook – it’s a randomly-generated server name on a boutique Hungarian web hosting platform – and, as you can see from the crossed-out padlock icon in the address bar, the site uses HTTP and not HTTPS.
Facebook was an early adopter of HTTPS-for-everything, giving up on HTTP altogether back in 2012, so any page that claims to represent Facebook but doesn’t have HTTPS is an unreconstructed fake.
Unfortunately, putting in your username and password into the fake login page above would submit them to a server running on a low-cost web hosting service in the USA, using a vaguely legitimate-looking domain name that was registered less than a month ago.
Our reader immediately assumed that his friend had himself recently recieved a similar (perhaps even an identical) message, and had not only clicked through but attempted to login, handing his password to the crooks and thus ensuring that all his contacts would soon be spammed in turn.
After the fake login page
This scam goes even further – whether as a distraction to buy a bit of time before victims realise they’ve been taken in and rush to change their Messenger passwords, or simply to give the crooks a second bite at the cherry, we don’t know.
After entering your password, there’s a short delay, as you might expect whan logging in to any online service, after which the crooks seem to pick from a range of other scams and redirect you to one of them randomly.
These didn’t look as though they were being run by the same criminals, so we’re assuming the message-spamming crooks were simply hoping to collect “affiliate fees” from other criminals in the underground.
These “second redirect” scams varied from specious VPN offers to a range of those “free” phone deals where all you need to do is pay a modest delivery fee (£1.95 in the variants we saw here), thus giving the crooks a believable excuse to collect your credit card details.
What to do?
- Use 2FA on any account you can. Adding a second factor of authentication means that the crooks can’t phish your password alone and then access your account. 2FA is a minor inconvenience to you, but a major roadblock for cybercrimimals.
- If you think your friend’s account has been hacked, contact them via some other method. Don’t reply via the very same account that you don’t trust – if it is a scam, you are just tipping off the crooks, who will lie to you and tell you everything is fine.
- If a friend lets you know your account was hacked, don’t delay. Get into your account as soon as you can (without clicking on any links that anyone just sent you!), assuming you can still access it, and change your password right away so the old password is useless to the criminals.
- Use a password manager. Password managers help in many ways: you automatically get a different password for every site; you get passwords that are random and can’t be guessed; it’s faster to change your password if you do get hacked; and it’s much harder to get phished because your password manager won’t put the right password into the wrong site.
- Use an anti-virus with a built-in web filter. Attacks of this sort generally don’t rely on sending malware to your computer, but instead rely on tricking you into uploading secret data like passwords from your computer. A web filter helps stop you landing on fake pages in the first place and therefore shields you from phishing. (Sophos Home has a web filter – there’s a free version for both Windows and Mac.)
Good article. Have you written anything about the huge number of “Rewards” and “Surprises” supposedly sent by big stores like Costco, Tim Hortons and “Walmrat”? This looks to be a huge push by crims going on right now. I have 29 messages of the sort in my Gmail Spam folder.
Not this time round but we have a collection of articles from recent months and years that deconstruct scams of that sort and others, including abuse of brands belonging to supermarkets, fast food chains, hardware stores, software companies, courier and delivery services, banks and other financial institutions, and… not forgetting, of course, those many, many “free” iPhones, the surveys” you are invited to take and those “jobs” that don’t exist . Try searching this site for words such as survey, scam, delivery, vish and smish (the last two are phishes via voice and SMS respectively).
Our volunteer agency is obliged to have a web page listing the officers and their contact information. We will eventually be moving to a system that supports web forms and will no longer reveal email addresses.
At this time we regularly see emails purportedly from the Treasurer to the President (or vice-versa) asking for iPhone gift cards for “an urgent situation.” Fortunately, good education has been sufficient to avoid any real problems.
Could you use a generic address, like we do on Naked Security with “tips@sophos.com”, which is autoredirected not only to me but to whoever else is “on duty” at the time, so that [a] the submissions can easily and automatically be disentangled from our regular emails and [b] responses don’t depend on a specific person being available to reply?
Good article. Thanks for sharing!!
My friend recently got “K4FI; is it you?” scam. This message was spammed in her contacts
A scam video called “It’s you” was sent out from my Facebook Messenger account to all my contacts that have an account on Facebook. The video looks very like the image in this article. I presume it does the same thing.
I’m thinking of setting up two factor authentication on Facebook.
I also suggest that you review which devices have logged into you account recently (kick out any you don’t recognise) as well as reviewing all the Facebook plugins on the Facebook apps page that have access to post to your account – you might find some leftover stuff you don’t use any more!