New phishing attack against Facebook business pages

There's a new attempt at an old phishing attack running on Facebook today.  The attack appears to target business pages on Facebook by posing as a Facebook compliance message.  Here's a screenshot of the attack, which we received in our notifications panel on Facebook:

The message appears to be a Facebook compliance message because it uses the Facebook logo and name.  It also appears to be a direct message due to the use of “Dear Customer” in the greeting.  However, there are a few things that should stand out to you as suspicious:

1. It uses the ow.ly URL shortener and not a proper Facebook URL.
2. It uses threatening language indicating extreme action.
3. The message itself is nonsense.  It begins by saying that there are irregularities of content and a violation of ToS.  Then it requires you to verify your contact information, and thanks you for helping them improve ‘service collaboration.'
4. It is a notification and not a message.  Facebook notifications indicate shares or mentions by another user.  These are not direct messages to a customer, and normally do not include any type of greeting like “Dear Customer.”

This is what you will see if you hover your cursor over the account link:

 

This URL is another indication that this is likely not an official Facebook communication.  If you were to follow the link to this account, you would see that this attack has targeted hundreds of business pages on Facebook.

This attack page was taken offline earlier today, but there may be more versions of this page still functioning.

The attack is structured as follows:

1. The attacker identifies the business page.
2. The attacker then shares the latest post from the business page.
3. The share is prefaced by the message that you see in our screenshot at the top of this post.
4. The body of the message includes a shortened link designed to look like a Facebook account verification link.

These indicators should be enough for you to recognize this as a scam and avoid clicking on any links.

If you would like to check the safety of a link such as this, you can follow this process:

1. Submit the shortened URL to a URL expander like Check Short URL.   This will expand the link to the original URL.
2. Submit the original URL to a link checker like the Google Safe Browsing report here.

 

Upon further research of this site, we were able to determine that this is a phishing scam.  Phishing attacks attempt to steal credentials from the user.  This is an attempt to steal Facebook credentials by tricking victims into going through a verification process on a fake site.  If successful, the attacker can then hijack the business page and deploy thousands of attacks against other Facebook users.  The attacker may also use these credentials to gather information about the business page administrators.  These administrators are often managers in the business, and this information can then be used in spear phishing attacks.

Phishing attacks can lead to very serious damage, including identity theft and ransomware attacks.   These attacks are increasing, and organizations all over the world are issuing a warning to employees, students, and other potential victims.

If you receive a suspicious message or notification on Facebook, be sure to follow the above steps to avoid becoming a victim.  You should also report the activity to Facebook.

Barracuda offers security solutions that can protect you from this type of phishing attack.  The Barracuda Web Security Gateway and Barracuda Web Security Service offer multiple levels of protection to defend users against malicious websites.  The Barracuda Email Security Service now offers Advanced Threat Detection and Link Protection, to defend users against dangerous links sent through malicious email attachments.  Barracuda Essentials for Office 365 also includes this protection.

For more information about Barracuda, visit our corporate website here.