Facebook users should be wary following a spate of malicious ‘Security System Pages’ created by phishers to steal people’s personal data.
Not satisfied with merely securing a user’s login details, these offenders are now intent on forcing them to part with far more sensitive information.
As reported in a Malwarebytes blog, one such scam misleads people into believing their account has been reported for ‘abuse’ by other users, warning them their page may be disabled. It asks users to provide their email address/phone number, password and date of birth so their account can be “verified” and to help “do more for security and comfort for everyone”.
Once this stage of the scam is complete, users are asked to ‘upgrade’ their credit card information, with phishers even so bold as to provide a message at the bottom of the page reading “Your payment info will be stored securely and only you can see it on Facebook”.
Although many of these types of scam pages have recently been disabled similar ones are likely to crop up again soon, with phishers fully aware just how effective these techniques are in frightening some users into following the malicious instructions they provide. Therefore, people should be extra vigilant for anything that looks out of the ordinary.
In an email to Infosecurity Christopher Boyd, Malware Intelligence Analyst at Malwarebytes, explained how these scam pages operate and advised Facebook users on what to look out for to avoid becoming a victim.
He said:
“The majority of these fake logins are reached via email, and anytime you're asked for credentials – or worse, payment information – from a supplied link, you should delete and move on with your day as this just isn't something any service is in the habit of doing.
"Always check the URL on display and look for the green padlock and https notification – virtually all Facebook phishing is done on free webhosts running insecure pages. You should also consider leaving your web browser's built in phishing detection switched on, as a sizeable portion of fakes are caught by these security measures.”
Infosecurity also contacted Kevin Epstein, VP of Threat Operations, Proofpoint, to gain his insight and discuss the current state of play regarding the effectiveness of regulations designed to prevent this type of criminality.
He told us “we [Proofpoint] believe the largest security challenge continues to be social engineering; especially scams like this in email and on web properties that trick end-users into assisting criminals”.
He went on to explain that although “best-in-class organizations are actively engaged in threat detection and prevention, and are constantly upgrading legacy defenses” with law enforcement agencies taking “an increasing interest in prosecution”, as is the case with physical-world crime, “it's an ongoing challenge.”