Social Media Social Engineering pt.1
I was contacted by a friend who I have not spoken with at length in a while over Facebook Messenger. They sent a lengthy message about how they had been locked out of their account and Facebook selected two friends to use as a personal backup to recover access. The message continued to say that the other person was not answering and it looked like I was online so it would be me that could help.
Something seemed off right away as there were small but noticeable punctuation and grammar discrepancies, but I shrugged it off as frustration from my friend. I replied with a friendly hello and asked how I can help. They immediately replied that I would receive a code that would prove that we were friends in real life and it could be used to recover their account access. Now things are starting to sound fishy!
I had never been in this position before, but I was curious how it worked and my hacker mindset kicked in. I blatantly said for this to work, my friend needs to prove that it’s really them. They needed to show me something that was part of our friendship and unique to our story. One example is how we were on a trip together in Israel and took a very cool picture under a “friends” message board above a store.
My friend immediately activated the video chat feature in Facebook Messenger, lo and behold to my surprise, it was them! They didn’t say anything, camera kind of shaky, and I kept trying to get a response from them. After some troubling seconds the video stream ended and another message appeared expressing proof that it was them and if I could continue the account recovery help.
I felt conflicted as this almost seemed like the validity that I need in what appeared like a very questionable process. I have helped other friends with getting into their Facebook account for one reason or another, but I have also been standing next to the person and we worked through the recovery process in tandem. This is where things took a turn from bad to ugly.
I agreed to continue with the request and within seconds I had received an email from Facebook. I checked the contents and header over thoroughly and it was indeed a real email from the proper organization. But there was one problem with the contents that had me realize the totality of this game. The body of the message was requesting to reset the Facebook password to “my” account, and not my friend. In fact, my friend’s name was nowhere to be found anywhere in the message body or subject.
This was starting to look familiar to the recovery process for one’s own account. There sitting in front of me was an eight-digit code with a blue bordered box and the button to initiate a password change. Immediately I received another message asking for the numbers my friend had sent as part of their beneficiary code recovery process. Again, these specific words appeared nowhere on the email from Facebook and my suspicious scale was off the charts.
I replied to the request for the password reset code stating that this was not for my friend’s account, but instead was for my own personal account. There was no way I was going to send this secret information across the Internet, even to someone I know. I can see how this feels convincing as the process was smooth and targeted the need to be helpful to others. After several more attempts to coax the code out of me, the attacker gave up and I reported the account as hacked to Facebook using their support portal. This was clearly no longer who I suspected it to be, but an imposter.
I was able to get ahold of my friends through alternate means and they did confirm that their account was hacked and was aware it was being using to hack other accounts using the same method that they had fallen victim to. We chatted for a bit about our observations and if there was anything that could be done to help recover it. At this time, their account has not been recovered and the attacker appears to be long gone.
Tune in again next time for a continuation on the lessons learned from this social engineering experience and how you can identify and prevent attacks like this in your personal life and workplace.
