A new online phishing attempt has come to light, uncovered by Trustwave security experts; the aim is to steal user credentials using Facebook Messenger chatbots. As per Trustwave’s research of the campaign, the chatbots in this latest phishing campaign spoof Meta’s customer service.
The bots then take control of pages by pressuring page administrators to input login information for that Facebook page. Following Trustwave’s notification, the malicious chatbots and websites were immediately removed.
In essence, chatbots are specially created programs that act as live customer service representatives and respond to user inquiries before referring the inquiry to a human employee. Usually, organizations providing live chat or customer support services use chatbots.
Messenger chatbot scam: Report
According to reports, The phishing attempt began with an email warning the recipient that Facebook would remove their page if they didn’t comply with Meta’s community guidelines within 48 hours. The recipient was sent to a false Messenger support page hosted by Google Firebase when they clicked the ‘Appeal Now’ link.
Researchers discovered that the fake chatbot profile was a fan/business page with no followers or activities. However, the attackers made the chatbot look legitimate using the official Messenger logo. The user filled out the Appeal form with their first and last names, email addresses, page names, and mobile numbers.
Further, they were prompted to perform 2FA authentication with an OTP. The moment the user clicked the “Submit” button, the attackers acquired the form and the user’s login information while redirecting them to Meta’s official page for intellectual property and copyright policies.
Researchers found numerous mistakes in the email, which sparked suspicions regarding the chatbot scam. For example, it included a missing dot from the third sentence and had improper capitalization in words.
Several mistakes in the email header further indicated the email’s scam. For instance, Policy Issues was written in the sender’s name; however, Facebook/Meta doesn’t own the sender domain.
Lastly, social media users must exercise caution when opening these warning notifications and always look for warning signs before disclosing any important information. Don’t divulge personal information to a user or bot if you have any doubts about their reliability, and report them to Facebook instead.
Have you faced something like this? Do let us know your thoughts in the comments.