PUBLIC SECURITY ALERT:: Your Trusted Friends Can Hack Your Facebook Account

PUBLIC SECURITY ALERT: New Facebook attack – watch out for phishing messages that say you’re a “Trusted Contact”

If you receive a message from any of your Facebook Friends asking for urgent help to recover their Facebook account, since they’ve added you as one of their ‘Trusted Contacts‘—just don’t blindly believe it.

Researchers have detected a new Facebook phishing scam that can even trick an experienced technical user into falling victim to the scam, helping an attacker gain access to your Facebook account.

This latest social media scam is abusing “Trusted Contact”—a Facebook account recovery feature that sends secret access codes to a few of your close friends in order to help you regain access to your Facebook account in case you forget your password or lost access to your account.

According to a public security alert published by AccessNow, the attack initiates by an already compromised account of one of your friends, asking for urgent help to get back into his/her Facebook account.
The attacker explains that you are listed as one of his/her Trusted Contacts on Facebook and asks you to check your email for a recovery code and share with the attacker (who’s hiding behind the identity of your friend).

However, in actual, the code you received is not the key to unlock your friend’s account, but instead, the attacker initiated “Forgot my password” request for your account in an attempt to hijack your Facebook account.

Knowing that a friend is in trouble, apparently one would share the code without giving a second thought.

“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s Trusted Contacts feature,” Access Now warns.

You should know Facebook’s Trusted Contacts feature doesn’t work the way this phishing attack suggests. To understand how this feature works, you can head on to this Facebook post.

The Access Now says, “So far we’re seeing the majority of reports [falling victims to this new Facebook phishing scam] from human right defenders and activists from the Middle East and North Africa.”

Although this latest Facebook scam is initiated using a compromised Facebook account of one of your friends, any of your Facebook friend can also intentionally trick you into handing over your Facebook account to them (looking at the way how people accept friend requests sent by anyone on the social media platform).
The best way to protect yourself is always to be vigilant to every recovery emails you receive, and read the recovery message or email carefully, even if it is sent by one of your actual friends.

  How the attack works

Here’s how the attacker attempts to exploit your trust in order to extract the information needed to steal your account:
  1. You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.
  2. The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account.
  3. Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.
  4. In an effort to help, you send the code you’ve just received to your “friend.
  5. Using the code, the attacker can now steal your account from you and use it to victimize other people

    How to defend yourself against the attack
To help you stay safe, we encourage you to follow these recommendations:
  • Treat urgent, unexpected messages with suspicion: Phishing messages often appear to come from a trusted friend. But if you get an odd message, ask yourself, are you already aware of being on a list of “Trusted Contacts” for any of your Facebook friends?
  • Confirm with your friend: Try to verify your friend’s identity by telephone or in person.
  • Act slowly and with caution. Attacks are always evolving. In general, try to stay calm when you get a message where the sender appears to want to trigger a strong emotional reaction, like anger or fear. This might make you think you have to hurry, and it could impair your ability to evaluate the situation objectively. Don’t panic. Figure out what is really happening before you take action.
  • Learn how “Trusted Contacts” actually works: It doesn’t work the way the phishing message in this attack suggests. We explain the details below.

3 thoughts on “PUBLIC SECURITY ALERT:: Your Trusted Friends Can Hack Your Facebook Account”

  1. Stamos said a basic challenge Facebook and similar companies face stems from the freedom they give engineers to customize their environments and experiment with new tools and development processes.

Leave a Reply

Your email address will not be published. Required fields are marked *