14 DAY TRIAL // Experts warn users of a phishing scam that starts with messages that read something like this: “OMG YOUR PHOTOS ARE BEING USED ON THIS SITE.”
According to Malwarebytes experts, the messages have been seen on Tumblr, and they appear to come from one of the targeted user’s friends.
When internauts click on the link accompanying the post, they’re taken to a Tumblr spam blog from where a piece of JavaScript code redirects them to a fake Facebook login page. Here, they have to enter their credentials in order to see the alleged photos.
The Facebook phishing site looks legitimate, but a closer look at the URL in the web browser’s address bar reveals that it has nothing to do with the social network.
As experts highlight, these types of phishing scams are common on Twitter, but this clearly shows that no social media platform is ignored by cybercriminals.
While losing a social media account to phishers is bad, it’s much worse to hand them over the username and password needed to access online banking and email accounts.
Netcraft has published an advisory after coming across an interesting Chase Bank phishing scam earlier this month. Cybercriminals lured users to a legitimate-looking phishing page hosted on the compromised website of a gift store.
“With access to the victim's emails, the fraudster could also potentially net a much larger haul. These emails will indicate to the fraudster which other banks, shops, social networks and other online services the victim uses,” Netcraft’s Paul Mutton notes in a blog post.
“The fraudster can then attempt to compromise the victim's accounts on these services by initiating password resets, which will be sent to the email address he now has access to. In some cases, the fraudster will also be able to change the password of the victim's own email account, thus locking him out and making him unaware that further compromises are taking place.”
There’s another advantage if cybercriminals can hijack the email account of a Chase customer. The financial institution’s customers can receive account alerts via email if any suspicious transactions are detected.
However, if they’re in control of the email account, the cybercriminals can easily delete the alerts before the victim sees them. This way they can continue their fraudulent activities without being detected for a longer period of time.