A cunning phishing campaign on Facebook has been exploiting users’ trust with an emotionally charged phrase: “I can’t believe he is gone. I’m going to miss him so much.” The deceptive scheme leads users to a malicious website designed to hijack Facebook credentials, and it has proven to be a persistent and widespread threat.
The ongoing scam, which began about a year ago, capitalises on compromised accounts to expand its reach and target unsuspecting victims. Using accounts compromised by threat actors adds an extra layer of credibility to the phishing attack, as the familiarity of seeing such a post from a friend increases the likelihood of users falling prey to the scam.
Despite Facebook’s efforts to deactivate reported redirect links in these deceptive posts, the campaign persists, showcasing the sophistication and persistence of the threat actors behind it. The emotional trigger embedded in the phrase “I can’t believe he is gone” makes the scam more effective, drawing users into its web.
The Facebook phishing campaign utilises two distinct approaches to trap users. One variant involves a simple Facebook redirect link, while the other presents a seemingly authentic BBC News video depicting a car accident or a crime scene.
For users on the mobile Facebook app, clicking the link redirects them to a fabricated news site called ‘NewsAmericaVideos.’ This site prompts users to enter their Facebook credentials under the guise of identity confirmation to view a blurred video. In reality, the video is just an image sourced from Discord. If users input their credentials, threat actors capture them, and users are redirected to Google. The purpose of collecting these credentials is unclear, but they are likely used to perpetuate the scam through compromised accounts.
On desktop computers, the phishing sites exhibit different behaviours, often redirecting users to Google or leading them to other scams involving VPN apps, browser extensions, or affiliate sites.
The phishing campaign’s extensive reach involves the daily creation of deceptive posts through compromised accounts. Since this attack does not target two-factor authentication (2FA) tokens, Facebook users are strongly advised to enable 2FA. This additional security layer requires a unique one-time passcode for login attempts from unrecognised locations, significantly hindering unauthorised access even if credentials are compromised.
Phishing is a prevalent cybercrime where attackers disguise themselves as trustworthy entities to deceive individuals into providing sensitive data. This malicious activity can take various forms, including email, social media, or text messages, and understanding its nature is crucial for digital safety.
Phishing involves tricking people into divulging personal information, such as login credentials or credit card numbers. Attackers use channels like email, social media, or text messages to lure victims with seemingly legitimate requests or alarming statements.
Phishing attacks come in several forms, including email phishing, spear phishing (targeting specific individuals or companies), and whaling (focusing on high-profile targets). The Facebook phishing scam is a classic case of social media phishing, utilising familiar platforms to spread deceitful messages.
Phishing poses significant risks, leading to financial loss, identity theft, and unauthorised access to sensitive systems. In the case of the “I can’t believe he is gone” phishing campaign on Facebook, personal accounts can be hijacked, potentially resulting in data breaches.
Facebook users are urged to stay vigilant, report suspicious posts, and enable two-factor authentication to safeguard against deceptive phishing campaigns.
