Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Facebook Database – 100K+ Compromised Accounts! – “Meow” is a clue!

Facebook Database – 100K+ Compromised Accounts! – “Meow” is a clue!

Researchers have discovered a wide-ranging worldwide scam targeting Facebook users, after finding an unsecured database used by fraudsters to store the usernames & passwords of at least 100,000 victims.

Cyber-criminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts & used them to scam others.

Researchers revealed that the cyber-criminals behind the scam were tricking Facebook victims into giving their account login credentials by using a tool that pretended to show who was visiting their profiles.

Login Credentials

The fraudsters then “used the stolen login credentials to share spam comments on Facebook posts via the victims’ hacked account, directing people to their network of scam websites,” according to researchers with vpnMentor last Fri. “These websites all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250 [$295].”

There was no evidence about whether the data was accessed or leaked by any other malicious parties.

The Database

This unsecured Elasticsearch database was 5.5Gb & contained 13,521,774 records of at least 100,000 Facebook users. It was open between Jun. & Sept. of 2020; it was discovered on Sept. 21 & closed on Sept. 22.

Data in the exposed database included credentials & IP addresses; text outlines for comments the fraudsters would make on Facebook pages (via a hacked account) that directed people to suspicious & fraudulent websites; & personally identifiable information (PII) data such as emails, names & phone numbers of the Bitcoin scam victims.

Login Credentials

Researchers explained that in order to confirm that the database was live & real, they entered fake login credentials on one of the scam web pages & verified they had been recorded.

The day after they discovered the database, researchers believe it was attacked by the ongoing widespread Meow cyberattack, which completely wiped all its data.

Meow

A Meow attack refers to ongoing attacks that started earlier in July & left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card, according to researcher Bob Diachenko. Meow hackers also recently targeted a Mailfire server that was misconfigured & left open.

“The database went offline the same day and was no longer accessible,” said researchers. “We believe the fraudsters did this following the Meow attack but can’t confirm.”

The Scam

The global scam targeting Facebook users starts with a network of websites owned by fraudsters, which trick Facebook users into providing their credentials by promising they would show targets a list of people who had recently visited their profiles.

It is not clear how visitors were directed to these websites. Researchers found 29 domains linked to this network; websites had names such as: askingviewer[.]com, capture-stalkers[.]com & followviewer[.]com.

Open List!

The website informs victims “There were 32 profile visitors on your page in the last 2 days! Continue to view you list,” & points them to a button that says, “Open List!” When the victim clicks on the button, they are sent to a fake Facebook login page, where they are asked to input their login credentials.

Following this, a fake loading page appears, promising to share the full list, & the victim is redirected to the Google Play page for an unrelated Facebook analytics app.

Cleartext Format

“In the process, the fraudsters saved the victim’s Facebook username and password on the exposed database for future use in their other criminal activities,” observed researchers. “These were stored in cleartext format, making it easy for anyone who found the database to view, download & steal them.”

Attackers then use the victims’ credentials for the further phase of the attack – taking over accounts & commenting on Facebook posts published in the victims’ network, with links to a different network of scam websites that are owned by the fraudsters.

Bitcoin Fraud

These sites relate to a Bitcoin fraud scheme. When a victims’ Facebook friend visits the one of the sites, they are directed to sign up for a free Bitcoin trading account & to deposit $295 to start trading.

“By including links to fake news websites, the fraudsters hoped to bypass & confuse Facebook’s fraud & bot detection tools,” commented researchers. “If the hacked accounts only posted the same links to a Bitcoin scam over & over, they’d quickly be blocked by the social network.”

Passwords

Researchers advised Facebook users that if they think they have been a victim of the fraud effort, to change their login credentials immediately.

“Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” suggested researchers. “We recommend using a password generator to create unique, strong passwords for every private account you have, & changing them periodically.”

https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/

 

SHARE ARTICLE