Researchers have discovered a wide-ranging worldwide scam targeting Facebook users, after finding an unsecured database used by fraudsters to store the usernames & passwords of at least 100,000 victims.
Cyber-criminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts & used them to scam others.
Researchers revealed that the cyber-criminals behind the scam were tricking Facebook victims into giving their account login credentials by using a tool that pretended to show who was visiting their profiles.
The fraudsters then “used the stolen login credentials to share spam comments on Facebook posts via the victims’ hacked account, directing people to their network of scam websites,” according to researchers with vpnMentor last Fri. “These websites all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250 [$295].”
There was no evidence about whether the data was accessed or leaked by any other malicious parties.
This unsecured Elasticsearch database was 5.5Gb & contained 13,521,774 records of at least 100,000 Facebook users. It was open between Jun. & Sept. of 2020; it was discovered on Sept. 21 & closed on Sept. 22.
Data in the exposed database included credentials & IP addresses; text outlines for comments the fraudsters would make on Facebook pages (via a hacked account) that directed people to suspicious & fraudulent websites; & personally identifiable information (PII) data such as emails, names & phone numbers of the Bitcoin scam victims.
Researchers explained that in order to confirm that the database was live & real, they entered fake login credentials on one of the scam web pages & verified they had been recorded.
The day after they discovered the database, researchers believe it was attacked by the ongoing widespread Meow cyberattack, which completely wiped all its data.
A Meow attack refers to ongoing attacks that started earlier in July & left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card, according to researcher Bob Diachenko. Meow hackers also recently targeted a Mailfire server that was misconfigured & left open.
“The database went offline the same day and was no longer accessible,” said researchers. “We believe the fraudsters did this following the Meow attack but can’t confirm.”
The global scam targeting Facebook users starts with a network of websites owned by fraudsters, which trick Facebook users into providing their credentials by promising they would show targets a list of people who had recently visited their profiles.
It is not clear how visitors were directed to these websites. Researchers found 29 domains linked to this network; websites had names such as: askingviewer[.]com, capture-stalkers[.]com & followviewer[.]com.
The website informs victims “There were 32 profile visitors on your page in the last 2 days! Continue to view you list,” & points them to a button that says, “Open List!” When the victim clicks on the button, they are sent to a fake Facebook login page, where they are asked to input their login credentials.
Following this, a fake loading page appears, promising to share the full list, & the victim is redirected to the Google Play page for an unrelated Facebook analytics app.
“In the process, the fraudsters saved the victim’s Facebook username and password on the exposed database for future use in their other criminal activities,” observed researchers. “These were stored in cleartext format, making it easy for anyone who found the database to view, download & steal them.”
Attackers then use the victims’ credentials for the further phase of the attack – taking over accounts & commenting on Facebook posts published in the victims’ network, with links to a different network of scam websites that are owned by the fraudsters.
These sites relate to a Bitcoin fraud scheme. When a victims’ Facebook friend visits the one of the sites, they are directed to sign up for a free Bitcoin trading account & to deposit $295 to start trading.
“By including links to fake news websites, the fraudsters hoped to bypass & confuse Facebook’s fraud & bot detection tools,” commented researchers. “If the hacked accounts only posted the same links to a Bitcoin scam over & over, they’d quickly be blocked by the social network.”
Researchers advised Facebook users that if they think they have been a victim of the fraud effort, to change their login credentials immediately.
“Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” suggested researchers. “We recommend using a password generator to create unique, strong passwords for every private account you have, & changing them periodically.”