Facebook user impersonated by scammers to target small businesses in German speaking countries
Facebook became the Eldorado of the scammers; every day thousands of people are reporting the account lost issue. This is due to the fact that most of people are not aware of this attack. The small businesses are one of one most important target for the scammers. It is not the first time, we have reported scammers impersonating Facebook’s user to redirect a user to authenticate to a wrong Facebook page and it won’t be the last.
Let’s break the scenario down.
The scammer sends thousands of messages to many users and small businesses containing a link.
The scammer is waiting for the user to click on the link and enter the password.
Once this is done, the user loses his or her account.
The message looks usually like this:

The malicious link at the end of the message on which the user should click.

As you see, the malicious link is visible after the Facebook link, this is done by the scammer to trick the user to click and enter the credentials to the wrong Facebook website.
The following link is very hard to detect with many open-source engines.
We used the tool “Browserling” that showed us the redirect link which is not available at the moment.

We can check it also from the Open-source tool “Cyber-chef”. First, take the URL after the Facebook.com and paste it into the tool.

Now that the redirect link is available, we can check the link from Virus-total

From Virus total, click on “Details” to get more information about the domain.
We found out that the domain is newly created:
History
First Submission
2023-10-23 21:27:58 UTC
Last Submission
2023-10-23 21:27:58 UTC
Last Analysis
2023-10-23 21:27:58 UTC
At this point, we are pretty sure that the link is not from Facebook and is a malink or maldomain.
Recommendation:
Use 2FA
Check when you received a suspicious link or domain like we described here before clicking on it.
In case you entered your password, as soon as possible, connect to your account and change your password as fast as possible and check if there is any new device created and removed.
IOCs:
faeboser-storyresver19849[.]io[.]vn
103.18.7.159
 
             
                       
                       
                       
                      