Facebook fatal accident scam still rages on

9 months ago 80
BOOK THIS SPACE FOR AD
ARTICLE AD

Recently I wrote about a malvertising campaign on Facebook that has been going on for almost a year. Apparently Facebook is struggling to stop this campaign, so now this type of campaign is showing up in other languages than English.

I have seen two different types in German.

First Facebook scam

Tödlicher Verkehrsunfall - fatal traffic accident
Tödlicher Verkehrsunfall - fatal traffic accident
Tödlicher Verkehrsunfall - fatal traffic accident

Translation: Deadly accident on highway causes several fatalities

Notable about this one is that it was posted as a fundraiser and so does not allow comments, which blocks me from posting a warning that this is a scam.

I reached out to the person that owns the account to find out if he knew how his account got compromised. He had no idea, but told me that it seemed like a lot of people were having the same issues. Not only did he see the same type of posts, but he also got a lot of Messenger messages prompting him to click a link.

In the past we’ve seen campaigns on Messenger where clicking such a link would install a Facebook app that required posting permissions. These apps would then spread further from the compromised user account.

Wireshark analysis courtesy of Jérôme Segura

The host storage.googleapis.com gives the link a legitimate feel, but that feeling is not justified. Although googleapis.com is a legitimate service provided by Google, it’s being abused by all sorts of cybercriminals for phishing, tech support scams, and in this case fingerprinting. The script on that site looks at your IP address, your type of machine and whether you are using a VPN. Based on the analysis of that information you are forwarded to the type of scam that is likely to be the most profitable.

An example of a redirect URL shows some of the elements that were fingerprinted.

https://byxzz.altairaquilae[.]top/?pl=Yyo1IAH5aE2Q4g9YuOImuw&click_id=da5d3q51mm737150e7&sub_id=18222478-Edge%20(Chromium)%20for%20Windows-Windows

Malwarebytes has already blocked the windyplentiful.com domain for Malvertising.

Malwarebytes Premium blocks the domain windyplentiful.com

Malwarebytes Premium blocks the domain windyplentiful.com

Second Facebook scam

The second example is easier to identify as a fake. Both the ambulance and the wrecked motorcycle hail from California, so this highly unlikely to have happened on the German autobahn.

Accident leaves several victims inluding a child

Translation: Accident causes several victims including a child

Not only is the picture clearly not German, the grammar used in the sentence is another sign as it’s a bad translation.

Unfortunately when I set my VPN to pretend I was located in Germany, the script identified it as an anonymous proxy and stopped there.

VPN set to Düsseldorf in Germany

Switching back to the Netherlands I got to “enjoy” sites with explicit content, scam sites where celebrities encourage investing in cryptocurrencies, and websites offering browser push notifications.

Site asking to allow notifications while tempting vsitors with an adult video
Site asking to allow notifications while tempting vsitors with an adult video
Site asking to allow notifications while tempting vsitors with an adult video

These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus.

Several attempts on both images led to different domains as well. Other blocks we encountered during our research:

Malwarebytes Premium blocks 188.114.96.0

Malwarebytes Premium blocks 188.114.96.0

Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top

Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top

How to recover from a Facebook scam

You can recognize this type of scam because they usually tag several friends of the victim. And although the image looks like a click will start a video, it never has for me. The images were hosted at media.discordapp.net/attachments and although the pages contain a link to Vimeo, the videos there have already been removed or were never even there.

If you find your account has posted a message like this, you should assume that someone else has full control over your Facebook account. Simply changing the password is not always enough.

Check for unknown and unused Facebook apps. Click your profile picture. Select Settings & Privacy, then click Settings. Click Apps and Websites.Go to the app or game you want to remove, then next to the name of the app or game, click Remove. Click Remove again to confirm. Enable two-factor authentication (2FA) Go to your Security and Login Settings. Scroll down to Use two-factor authentication and click Edit. Choose the security method you want to add and follow the on-screen instructions. Change your password on Facebook if you’re already logged in: Click your profile picture. Select Settings & Privacy, then click Settings (or Accounts Center if you’re on your phone). Click Security and Login (or Password and Security if you’re on your phone). Click Edit next to Change password (or just Change password if you’re on your phone). Enter your current password and new password. Click Save Changes.

If you’re logged in but have forgotten your password or it has been changed to something you don’t know, follow the steps above to change your password, then click Forgot your password? and follow the steps to reset it. Keep in mind that you’ll need access to the email associated with your account.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

Read Entire Article