Sunday, February 13, 2022

How do Facebook Message Link scams work?

Every day large numbers of Facebook users receive a message that appears to be from a friend that invites them to click a link. If they click that link their Facebook friends (social graph connections) receive a similar message -- from them.

Many of the victims post on Facebook that their account has been hacked and that recipients should disregard the message. Most change their account passwords, some close their account.

So you'd think there would be an easy to find explanation of how this works. 

Good luck finding it. I tried several search methods and got nothing. That would not have been true 10 or 20 years ago -- there would have been numerous explanations of the mechanics of the scam. Now all I found were confused articles in small newspapers and limited explanations republished in software generated spam sites.

In desperation I posted a question on Stack Exchange SuperUser. Which was, of course, immediately closed as off-topic. I couldn't find a more relevant Stack Exchange site and Reddit had nothing. 

So I'm going to make some guesses and improve this post if I learn more. For the purposes of this discussion:

  • Max: the attacker
  • Sue: name of a friend that is shown as the message sender.
  • Bob: recipient of the message.

I'll start with the link. Some things will be similar to clicking on an email link. Bob may be tricked into entering account credentials (esp. Facebook) -- if this is done well they won't realize they entered them into a fake site. Or, if the Bob's computer is vulnerable, a keystroke logger or other malware might be installed.

But does anything unique to Facebook happen? If Max is using a clone of Sue's account their message will show in a relatively obscure part of Messenger (since it's not Sue's account there's no true social connection). If Bob interacts with it does Facebook grant Max elevated access to Bob's account? Can Max now see or message Bob's friends more than he could previously? If Bob had configured Facebook appropriately, can Max now see Bob's friends?

These are hard questions to answer. Facebook doesn't document much and they change the rules frequently. Maybe the attackers only target users who have made their friends list public.

Let's say Bob clicks on Max's link. Should he burn his computer?

If the linked site tricked Bob into entering his Facebook credentials (username, password, etc) he should try to change them. But if he hasn't entered his credentials it might be risky to enter them now; maybe Bob was tricked into installing a keystroke logger -- or maybe Bob's computer was vulnerable to an exploit. Bob might want to run an antivirus scan (for what they are worth).

This really does deserve a better answer ...

No comments: