The National Cyber Security Centre of Finland (NCSC-FI) has issued a warning about an ongoing phishing attack aimed at compromising Facebook accounts by masquerading victims' friends in Facebook Messenger conversations.
According to the NCSC-FI, this ongoing scam targets all Facebook users who got messages from online acquaintances seeking their contact information and a confirmation number given through SMS.
If users provide the requested information, the attackers will gain control of their accounts by altering the password and email address linked with them.
Once taken over, the Facebook accounts will use similar schemes to target more potential victims from their friend list.
“In the attempts, a hacked account is used to send messages with the aim of obtaining the recipients' telephone numbers and two-factor authentication codes to hijack their Facebook accounts," the cybersecurity agency described.
The scammers will undertake the following techniques to successfully compromise the victim' Facebook accounts:
• They start by sending a message through Facebook Messenger from the previously compromised friend's account.
• They request the target's phone number, claiming to be able to assist with the registration for an online contest with cash awards worth thousands of euros.
• The next step is to request a code that was supposedly given via SMS by the contest organizers to verify the entry.
• If the fraudsters obtain the SMS confirmation code, they will combine it with the phone number to gain access to and hijack the victim's Facebook account.
The NCSC-FI advised, "The best way to protect yourself from this scam is to be wary of Facebook messages from all senders, including people you know. If the message sender is a friend, you can contact him, for example, by phone and ask if he is aware of this message. This information should not be disclosed to strangers."
Meta (previously Facebook) recently has filed a federal lawsuit in a California court to stop further phishing assaults that are currently targeting Facebook, Messenger, Instagram, and WhatsApp users.
Around 40,000 phishing sites impersonating the four platforms' login pages were used by the threat actors behind these phishing attacks.
These lawsuits are part of a lengthy series of lawsuits filed by Facebook against attackers who target its users and exploit its platform for nefarious purposes.