Facebook & Fraud. The Customer isn’t always right

By Sumit Bansal, VP APAC at BlueVoyant

Fraud scams across social media sites are soaring. Only last month, UK bank TSB said there had been a huge jump in the number of scams originating from Meta-owned sites and apps, releasing research that shows they now account for 80% of cases within TSB’s three largest fraud categories: impersonation, purchase and investment.

Back in April 2021, BlueVoyant identified a rise in Facebook customer service impersonation campaigns targeting customers of several large international banks and their subsidiaries. Threat actors create spoofed customer service accounts pretending to represent these organisations, reeling in unsuspecting customers who sought assistance. Customers fail to recognise that the pages are fake and engage with them, playing right into the threat actors’ hands.

The Customer Isn’t Always Right

Our team has determined that it is most likely a team of attackers working together – or at least sharing best practices – to carry out this type of scam. They aim to gain access to customers’ bank accounts by contacting customers who find their fraudulent pages and walking them through a series of steps that appear to be in service of helping them with their accounts, but are actually steering them to provide credentials, personally identifiable information (PII), or, worse yet, direct access to their account itself via a screen control app.

In order to increase the legitimacy of the campaign, the impersonated pages are continuously updated with the bank’s original Facebook content, including the most recent posts and uploaded pictures.

1. Create a new page: First, the threat actor creates a “customer service” page on Facebook. The page typically includes a similar or even identical design to the target’s official Facebook page. The spoofed page’s design is constantly updated so the page appears to be legitimate and credible.
2. Establish first contact with potential victims: After the Facebook page is set up, the threat actor can now reach out to potential victims. The victims appear to originate from two main sources:

• Facebook users who left a comment on the bank’s official Facebook page asking for assistance and are then contacted by the fake page.
• Facebook users who mistook the fake page for the bank’s official page and ask for assistance with their account.

3. Steal customer PII: At this stage, the groundwork for the fraud scheme is laid. The actor, posing as a service representative of the bank, asks for the customer’s email and phone number. The actor uses these pieces of information in the next steps.
4. Account takeover/fraudulent transaction attempts: In order to defraud the customer, the actor uses two separate methods:

• Taking over the customer’s device by using remote control software, allegedly to conduct illicit money transfers through the customer’s bank account.
• Convincing the customer to transfer funds to the actor’s account using a money-transferring service, while also sharing their payment card details.

Springing the Trap

Our analysts engaged with the threat actors running these accounts, acting as customers who have been genuinely tricked. They followed the conversations as far as they could without being exposed or handing over access to their accounts.

After getting the customer’s information, the representative asked the customer to download the Anydesk Remote Control app, which provides platform-independent remote access to personal computers and other devices running the host application. It offers remote control, file transfer, and VPN functionality. The actor uses the software to gain access to the customer’s device, which then allows them to bypass 2FAs, conduct illicit transactions, steal PII and so on.

As our analysts are seasoned threat hunters, they rebuffed this demand to see what the next move would be. The threat actors then asked them to attempt a money transfer using Remitly, an online transferring service, to verify their identity. At this point, the conversation broke down, and our analysts withdrew from the ruse.

Recommendations

Ultimately, the burden will fall on the organisation that has been impersonated to rectify the situation. Therefore, it’s imperative that banks and other financial institutions continue to educate their users and continually enhance fraud prevention protocols.

1. We recommend providing customers with information on the tactics, techniques and procedures of this threat to raise their awareness.
2. Consider implementing a customer education strategy, via official social media accounts, that informs them of existing threats and provides security guidelines.
3. Consider educating your online users on the organisation’s social media and customer support policies. Make sure that your users know what communication platforms are used by your customer service and how to distinguish your actual customer service from fake ones.

This phenomenon puts customers of numerous banks at risk of becoming victims of fraud, while simultaneously harming the banks’ reputation and violating their privacy policies. Ensure you have a digital risk protection service in place and educate customers on potential threats to avoid damage to your business.