As part of a new phishing attack, impersonating the company’s customer support team using Facebook Messenger chatbots, attackers are trying to steal Facebook credentials for managing specific pages on the site.

The idea behind a chatbot is that it can be used as a substitute for live staff. Chatbots often perform tasks like answering simple questions to customers (or triaging their cases) before passing them along to the person in charge.

It is common practice among marketers and customer service representatives to use chatbots for marketing purposes. 

However, recently, the Trustwave Labs team has detected a very innovative way for hackers to steal the credentials of Facebook page managers. In this case, hackers are using malicious chatbots to steal the credentials of Facebook page managers.

Malicious Facebook Messenger chatbots

The phishing attack is launched by means of an email message. The email notifies the target that their Facebook page has infringed the Community Standards and their page will be taken down unless they appeal the decision within 48 hours.

Facebook users have likely heard of the social networking site cracking down on violators of its rules, so this claim may have resonance with them.

Several errors have been spotted in the message, including the following:- 

• A mistake in capitalization was made when writing the word “Page”
• The third sentence has a missing dot at the end

Attack flow

There has been a recent trend to use such typographical errors as indicators that a message is not genuine. In order to access the Facebook Support center, the user must click on the “Appeal Now” button shown above in order to find the page where they can implore the problem.

In order to access the Facebook customer support center, the victim needs to click on that button, which accesses a conversation with an automated chatbot on Messenger.

A standard business page with no followers and no posts is associated with the chatbot on Facebook. Victims would see the following message if they checked the profile:-

• “Very responsive to messages” 

The above message clearly indicates that the page is actively used and quick to respond.

On the primary phishing page, users are asked to provide the following information if they wish to appeal the page deletion decision:- 

• Email address
• Full name
• Page name
• Phone number

During the completion of submitting the data and pressing the “Submit” button, a popup appears in which the account password is requested to proceed further. 

Once all the information is acquired, through a POST request all the collected data is then sent to the database that is under the control of the threat actor.

On the final point, the threat actors encourage the victim to enter the OTP that is received through SMS on a fake 2FA page. It is not a legitimate form of submission, since it accepts anything, so it merely serves to give the whole process an air of genuineness.

Once the verification is complete, the victims are directed to an actual Facebook page that contains information regarding intellectual property policy and copyright policies.

To steal credentials from organizations, cyber-threat actors are increasingly using chatbots as part of their phishing attacks. Many sites use automated chatbots and AI to improve their support pages, which makes it difficult to detect these scams.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.