vpnMentor uncovered a phishing operation targeting hundreds of thousands of Facebook users worldwide and targeting Bitcoin fraud
Cyber criminals have stolen Facebook passwords and lured friends of their victims with posts related to them on websites promoting a Bitcoin scam. Security researchers from vpnMentor revealed that they made their entire operations available in an unsecured database. The cloud server is now offline.
The perpetrators put unsecured Elasticsearch database online
The security researchers at vpnMentor, Noam Rotem and Ran Locar, have disclosed a fraud in which approximately 13.5 million data records were compromised. They found an unsecured Elasticsearch database with approximately 5.5 GB of personal user information. According to cyber security firm vpnMentor, the fraud was discovered after security experts tracked down the completely unsecured database. Accordingly, the fraudsters forgot to lock their cloud database from unauthorized access.
The tracked data contained both Facebook login information (usernames and passwords) for 150,000 to 200,000 Facebook users, as well as outlines for comments that the hackers used to mislead people into Bitcoin fraud. Furthermore, data on personal information (PII), such as emails, names and telephone numbers of users who have logged on to the Bitcoin site and domains for the websites used in the fraud.
Perpetrators targeted Bitcoin fraud
The hackers used a very common trick for their action. They offered Facebook users a tool on the platform that supposedly could find out who recently visited their profiles. Without realizing that this was a trap, those affected disclosed private information, such as login information and payment credentials, on phishing websites specially prepared for the fraud.
As a result, the hackers accessed the victims’ Facebook accounts using the stolen credentials. They then posted spam comments about these accounts, referring people to a number of fake bitcoin trading platforms. On these Bitcoin trading websites, the criminals cheated people out of deposits of at least 250 euros each.
“Sometimes the extent of a data breach and the owner of the database are obvious and the problem is quickly resolved. However, these cases are rather rare. Most of the time, it takes days of investigation before we understand what it is about or who is losing the data. In this case, the incident did not originate from Facebook. The exposed database belonged to a third party who used it to process Facebook account credentials that were illegally accessed through a group of scam websites targeted at social network users. “
The security team first discovered the unsecured database on September 21, 2020. According to vpnMentor, the criminals collected the records in the database in the period from June to September 2020. It is also possible that the operation was more extensive and carried out much longer. VpnMentor deleted the database one day after the discovery. The service reported the case to Facebook that same day. Facebook also forced a reset of the passwords for the affected accounts.
As a result, the information disclosed puts users at risk of phishing and credentials. Facebook users who believe they have been compromised by this scam should change their login information immediately. vpnMentor warns
“If you’ve reused your Facebook password for other accounts, change it immediately to protect yourself from hacking. We recommend using a password generator to create unique, secure passwords for each private account and then changing them regularly. “
Picture by Pixabay