Security researchers have uncovered a massive global phishing and credit card fraud operation aimed at Facebook users after they have stumbled upon an unsecured database, which held private data belonging to at least 100,000 of victims.
According to researchers at vpnMentor, crooks behind the scam were tricking Facebook users into providing login credentials for their private accounts. Login credentials for Facebook accounts were harvested via a network of websites owned by the cyber criminal group.
Facebook users were lured with the promise to show them a list of people who had recently visited their profiles, however, when clicking on a link provided by an attackers’ website, the victims were presented with a fake Facebook login page prompting them to input their login credentials. After entering login credentials into the window a fake loading page appeared promising to share the full list. Next, the victim was redirected to the Google Play page for an unrelated Facebook analytics app.
“In the process, the fraudsters saved the victim’s Facebook username and password on the exposed database for future use in their other criminal activities. These were stored in Cleartext format, making it easy for anyone who found the database to view, download, and steal them. Negative feedback on the analytics app from victims of the fraud, expressing their dissatisfaction with a seemingly broken app, show numerous people have gone through the entire scam and unknowingly had their data stolen,” the researchers explained.
The fraudsters used the stolen login credentials to share spam comments on Facebook posts using compromised accounts, directing people to their network of scam websites. Ultimately, all the malicious websites led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250.
The researchers said the exposed database contained over 5.5GB of data, including logins and passwords for between 150,000 to 200,000 accounts on Facebook, text outlines for comments the fraudsters would make on Facebook hosts, via a hacked account, directing people to suspicious and fraudulent websites, Personally Identifiable Information (emails, names, and phone numbers from 100,000s of people who’d registered at a fraudulent Bitcoin site), domains for websites used in the scam, as well as technical details on the fraud operation.
vpnMentor said it contacted Facebook about their discovery, however, a day after the database was uncovered, it fell victim to a so called Meow cyber attack, which completely wiped all its data. The database went offline the same day and was no longer accessible, the researchers said. vpnMentor believes that the fraudsters took down the database after the Meow attack.
Earlier this year, dozens of unsecured Elasticsearch and MongoDB instances exposed on the internet were attacked by a Meow campaign, in which malicious actors were wiping databases without any explanation or a ransomware note.