Your Facebook & IM Accounts Were Hacked, Now What? — Last week a we got the strangest message from a friend of ours via Facebook’s Instant Messenger app. It said “Are you coming out here??” followed by 2 emojis and an oddball link.  We immediately recognized the link as malicious which could mean only one thing….Our friend’s Facebook account had been hacked. It turns out, it was much worse! Messages from friends were pouring in to him via Facebook, Instant Messenger and Whatsapp, asking him if that was a legitimate message from him or what he meant by it. But according to our friend, he said that he hadn’t posted anything to his account in nearly two years.

A simple WHOIS lookup confirmed our suspicions that the link was malicious. The domain in the link, m9s[.]sbs, had been registered just 2 weeks earlier in Iceland through Namecheap.  This Registrar and location is the #1 favorite spot for cybercriminals to register their fraudulent domains because Namecheap does such a poor job of monitoring fraud. (We suspect that Namecheap makes a lot of money from cybercriminals who are using their services!)

At about the same time, another friend of ours received another oddball message from a Facebook friend and asked us if we thought it was legitimate.  It wasn’t! This particular manipulative message was world famous and had been used by social media hackers for years now to trick people into clicking malicious links.  The message said “Is it you in the video ?” along with a few emojis and another oddball link.

However, this time we recognized the oddball link was for a Link Shortening Service! That meant that the domain used in the link, short[.]gy, would NOT be your final destination! The service will forward you to another website entirely.  The ONLY way to learn where you would be redirected was to use an “unshortening service” such as Urlex.org or Unshorten.it. However, we were so convinced that the link was malicious that we went right to our set of tools to evaluate it. Sure enough, the Zulu URL Risk Analyzer confirmed our suspicions.  Also, Zulu showed us that the link contained two more redirects, ultimately sending a victim to a web page at a site called clickfunnels[.]com. 

Variations of the phrase “Is it you in the video” or “Is this you in the video” have been used as social media clickbait for at least 3 years! We last reported on this scam on September 25, 2019 when one of our relatives received this message from a friend and asked us if it were safe to click. It wasn’t safe!  “OMG Are you in this video?” (The link doesn’t point to a video on Youtube, but to another malicious domain.)

How were these accounts likely hacked and why are these links malicious? 

Each of these accounts had been compromised by hackers but the method for hacking the account is not clear.  For some, it may have been a friends account had been hacked, a malicious link was sent to his/her contacts and clicked on. However, the click sends victims to a web page asking you to login again to your social media account.  In reality, you are on a phishing page collecting your login credentials! Once hackers have that information, they repeat the scam using YOUR account and YOUR friends/contacts. But that isn’t the only method to gain access to your account. Hundreds of online services across the world are hacked every year. At one point or another, most services are hacked to some extent and, believe it or not, usernames, email addresses and even passwords have been stolen and decrypted (or were never encrypted to begin with!) It is critically important for you to visit “Have I Been Pawned” at least twice each year to see what information about YOU has been stolen and posted on the “deep web.” It is completely safe to enter your email addresses and phone numbers into the form on HaveIBeenPwnd.com.  Some people have been shocked to discover that their personal login data has been compromised from more than a dozen breaches of legitimate services! If you see that your login credentials have been stolen, CHANGE YOUR PASSWORD to every account where that password is used! You can find tips on creating strong, easy to remember, sets of passwords in our article Creating Strong Sets of Passwords.

• Besides using malicious links to capture people’s login credentials, some links also lead to malware and victims have infected their devices, leading to more pain and financial loss. 
• Cybercriminals will also scrape social media accounts for lots of personal information about the victim and friends, hoping to monetize that information in other ways. For example, it is easier for criminals to target someone with fraud if they know more information about her/him and it may be easier to perpetrate identity theft.
• Most people use the same passwords for multiple accounts, putting them at severe risk if that password is compromised. If YOUR social media password were known to hackers, would that put any of your financial accounts at risk? Credit cards? Financial institutions? And what about your email account? Do you use the same password for it? Your email accounts are literally the Keys to Your Digital Kingdom! (Read our recent article about this.) And remember, with access to your social media, criminals will know lots of other things about you!

What should you do if your social media account is hacked?

1. Immediately change your password to your account! When you attempt to do this on Facebook, one of the options to select in Settings is called “Security and Login.” Our friend whose Facebook, IM and Whatsapp accounts were hacked discovered that he was logged in from Arizona. He had never been to Arizona and lives in Massachusetts! When he updated his password, it logged out the hacker in Arizona. (Or, more likely, a hacker from another country who used a VPN service to connect to the Internet in Arizona.)
2. As quickly as possible, send a message to all your friends and family saying that your account was hacked and the hacker sent out a message with a link that SHOULD NOT BE CLICKED! Ask someone to send you a screenshot of the malicious message so you can post and share it with friends. If your friends had clicked the link SHARE THIS ARTICLE with them or tell them what should be done!
3. Change your password to EVERY account where your social media password is used!
4. We also advise victims to put a credit lock or freeze on their credit to reduce the chances that you will be a victim of identity theft using information stolen from your account.  Experian, Equifax, and even NerdWallet have  articles describing how to do this.

Other security services have reported details about these social media hacks using these criminal social engineering tricks.  Check out these articles as well!

• “Is that you” Facebook virus Removal Guide (2-spyware.com)
• Facebook “IS THIS YOU” Video Scam Steals Your Login Info (techilicious.com)
• “Is it you in the video?” Don’t Fall for this Messenger Scam (nakedsecurity.sophos.com)

Cybercrime is Way Up, Let’s Have a Laugh – According to this recent article on Cyberscoop.com, the FBI is reporting that there was a 64% increase in cybercrime in 2021 compared to 2020 in the United States, at a total estimated loss of nearly 7 BILLION dollars! And the 2020 stats were up from 2019! Perhaps somewhat surprising, the US Dept. of Justice has been able to identify several cybercriminals and issued indictments against them but it is very unlikely they’ll ever be caught.  One example is Igor Dekhtyarchuk, a 23-year old Russian hacker. Did you know that one of the clever ways that cybercriminals capture user’s login credentials is by hacking apps that people download onto their devices.  Check out this recent article on TomsGuide.com about a pirated version of a cartoon Android app that was secretly collecting people’s login credentials and sharing them with criminals!

One of the many ways that cybercriminals target people is by stealing domain names or creating look-alike domain names that trick people into visiting malicious or fraudulent websites. One of our readers sent us this article from NetworkDepot.com which sums up some of these scams well.

In the face of all this depressing news, we thought you might enjoy a good laugh at a scammer’s expense!  Check out this wonderful 2015 TED Talk by James Veitch titled This is what happens when you reply to spam email.   And if you like singing, enjoy this lovely operatic interpretation of scammer’s email messages by Jazz Emu.

Almost every week we get unsolicited requests from strangers asking us if we allow guest posts. Nearly all of them are suspicious or obviously fraudulent. What we found suspicious about this one was the name of the sender. Or names… Did this come from “Oleksandr” or from “Joseph?”  This behavior of using two different names in the text field of an email address is classic scammer behavior.

Speaking of classic scammer behavior, check out this next email from a 419 scammer telling us that our “quota exceeded.” Smadar Barber-Tsadik claims to represent the First International Bank of Israel but the email address contains the name “horvath erzsebet” AND it was sent from a server in Hungary!

Delta Sky Miles Account, Apple Computer, PayPal, and… – Are you a Delta flier? Do you have a Sky Miles account? Here’s a very unusual phishing scam that our friend Rob L. sent us. You are informed that your SkyMiles account will be closed unless you update your information. But the email didn’t come from delta.com. It came from a server in Germany, and the link points to a website hosted in Germany called alignment[.]com, according to WHOIS.sc. Below is a screenshot of the login window that awaits you after filling out a CAPTCHA to show you are a real human being. Oddly, Rob told us that when he entered the wrong Delta credentials into the login screen, he was sent to an AOL login screen window! Deeeeleeeeete!

Netflix Membership Reward and Loyalty Program Reward – The crazy way the Subject line is written in this next email and the fact that it was delivered by “Darryl” says everything you need to know about this “Netflix Membership Reward!” However, if you’re interested to visit a malicious website in the Netherlands, feel free to click! (“.nl” = 2-letter country code for the Netherlands.)

This next email is simple malicious clickbait disguised as a promotional offer from Best Buy. Clicking on the link we send you to vk[.]com and then on to another website.  You are not going to get an iPad.  The only “fantastic prize” waiting for you is malware.  Delete!

Request to Terminate Your Account – On March 9 we published a story titled “The Internet Favors Criminals. Meet Eldrige Engels!” The cybercriminals using the alias “Eldridge Engels” continue to post malicious websites using that name.  No one seems to care, certainly not Namecheap.com who has been the registrar for most of their malicious domains.  Below is yet another malicious link that is part of this criminal dynasty.  “Hey Aol Customer, you submitted a request to terminate your AOL email account….” The malicious link in this clickbait points to the domain called buchiraltod[.]us.  It was registered by “Eldridge Engels” in December, 2020 and is hosted on a server in Turkey.

Search for Me in Snapchat, We May Owe You, and Correct Your Address – Some think that the expression “curiosity killed the cat” refers to a warning about the dangers of unnecessary investigation into something.  In this case, we agree! We guarantee that responding to this unsolicited and random message sent to one of our readers by a phone number they didn’t recognize is not going to go well for you if you follow the instructions and start exploring for this Snapchat account.  Step away from this ledge!

We’ve seen this clickbait before. Your Insurance company will NEVER send you a text like this and tell you that you only have 48 hours to claim it!

Here’s another ridiculous claim sent to us by a reader. She got this text from an unrecognized number that has no connection to the US Postal Service. Sotel Gmbh is a consumer electronics store in Germany. All of this is interesting because the shortened Bit.ly link in the text points to a website in India!

Until next week, surf safely!

Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
have subscribed to it via Scamadviser.com or thedailyscam.com

Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

Contact Webmaster