Messenger chatbot abused to steal Facebook passwords

chatbots
(Image credit: Shutterstock / PopTika)

A brand new phishing campaign leveraging chatbot software on Messenger has been uncovered by cybersecurity firm SpiderLabs.

The goal of the campaign is to obtain people’s Facebook credentials and various other personal information, the researchers explained.

At first, the victim receives an email, pretending to be from Facebook, claiming that their page is in violation of the site’s community standards and will be terminated in 48 hours.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

The email also carries an “Appeal Now” link, which gives the victim a chance to appeal the termination.

Red flags galore

Thankfully, the content of the email contains a few red flags that should help users identify the message as fraudulent.

For example, there are a few spelling and grammar mistakes in the body of the message, and the recipient’s name appears as “Policy Issues”, which is not how Facebook handles such cases.

Should the victim still press the “Appeal Now” link, they are then taken to a Messenger chatbot, where they are prompted to click through to another “Appeal Now” link. This is most likely done to circumvent any email security services, as the link to the chatbot is not malicious in itself.

Here, the researchers found more red flags: the page that owns the chatbot has a handle @case932571902, which is most definitely not Facebook’s. It’s also empty, having zero followers and zero posts.

If the victim proceeds, they are taken to a website hosted on Google Firebase. This one is disguised as a Facebook “Support Inbox”, and this is where the victim ends up giving away sensitive data to the attackers.

According to the researchers, the attackers are asking for email addresses, mobile numbers, first and last names, page names and, obviously, passwords

“Chatbots serve a huge purpose in digital marketing and live support, so it is no wonder that cyber attackers are now abusing this feature. People are not inclined to be suspicious of its contents, especially if it comes from a seemingly genuine source,” the report states.

“The fact that the spammers are leveraging the platform that they are mimicking makes this campaign a perfect social engineering technique. As always, we advise everyone to remain vigilant when surfing the web and to not interact with unsolicited emails.”

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.