Cybercriminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts and used them to scam others.
Researchers have uncovered a wide-ranging global scam targeting Facebook users, after finding an unsecured database used by fraudsters to store the usernames and passwords of at least 100,000 victims.
Researchers said that the cybercriminals behind the scam were tricking Facebook victims into providing their account login credentials by using a tool that pretended to reveal who was visiting their profiles.
The fraudsters then “used the stolen login credentials to share spam comments on Facebook posts via the victims’ hacked account, directing people to their network of scam websites,” according to researchers with vpnMentor on Friday. “These websites all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250 [$295].”
Researchers said they have no evidence about whether the data was accessed or leaked by any other malicious parties.
Threatpost has reached out to Facebook for further comment.
The unsecured Elasticsearch database was 5.5 gigabytes and contained 13,521,774 records of at least 100,000 Facebook users. It was open between June and September of this year; it was discovered on Sept. 21 and closed on Sept. 22.
The data in the exposed database included credentials and IP addresses; text outlines for comments the fraudsters would make on Facebook pages (via a hacked account) that directed people to suspicious and fraudulent websites; and personally identifiable information (PII) data such as emails, names and phone numbers of the Bitcoin scam victims.
Researchers said that in order to confirm that the database was live and real, they entered fake login credentials on one of the scam web pages and verified they had been recorded.
The day after they discovered the database, researchers believe it was attacked by the ongoing widespread Meow cyberattack, which completely wiped all its data. A Meow attack refers to ongoing attacks that started earlier in July and left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card, according to researcher Bob Diachenko. Meow hackers also recently targeted a Mailfire server that was misconfigured and left open.
“The database went offline the same day and was no longer accessible,” said researchers. “We believe the fraudsters did this following the Meow attack, but can’t confirm.”
The global scam targeting Facebook users starts with a network of websites owned by fraudsters, which trick Facebook users into providing their credentials by promising they would show targets a list of people who had recently visited their profiles.
It’s unclear how visitors were driven to these websites. Researchers found 29 domains tied to this network; websites had names such as: askingviewer[.]com, capture-stalkers[.]com and followviewer[.]com.
The website tells victims “There were 32 profile visitors on your page in the last 2 days! Continue to view you list,” and points them to a button that says “Open List!” When the victim clicks on the button, they are sent to a fake Facebook login page, where they are asked to input their login credentials. After they do so, a fake loading page appears, promising to share the full list, and the victim is redirected to the Google Play page for an unrelated Facebook analytics app.
“In the process, the fraudsters saved the victim’s Facebook username and password on the exposed database for future use in their other criminal activities,” said researchers. “These were stored in cleartext format, making it easy for anyone who found the database to view, download and steal them.”
The attackers then use the victims’ credentials for the next phase of the attack – taking over accounts and commenting on Facebook posts published in the victims’ network, with links to a different network of scam websites that are owned by the fraudsters. These sites relate to a Bitcoin fraud scheme. When a victims’ Facebook friend visits the one of the sites, they are directed to sign up for a free Bitcoin trading account and to deposit $295 to start trading.
“By including links to fake news websites, the fraudsters hoped to bypass and confuse Facebook’s fraud and bot detection tools,” said researchers. “If the hacked accounts only posted the same links to a Bitcoin scam over and over, they’d quickly be blocked by the social network.”
Researchers told Facebook users that if they think they have been a victim of the fraud effort, to change their login credentials immediately.
“Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” said researchers. “We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically.”