Hackers' new trick to take control of Facebook accounts

Researchers from US cybersecurity firm Trustwave SpiderLabs have identified a new online scam campaign targeting Facebook users.

Hackers take advantage of users' lack of vigilance to steal two-factor authentication backup codes, making it easy to take control of accounts.

The scam begins when users suddenly receive an email purportedly from the company Meta (which is actually a very sophisticated spoof), informing them that they will be blocked due to 'a complaint from the owner about copyright infringement'.

To restore access, users must download a complaint form and fill it out by clicking on a link included in the email. In fact, the link leads to a 'twin' website that looks exactly like Meta's official portal.

Next, after the victim visits the fake website, they are asked to complete an 'account verification form'. Here, they will be asked to enter their username and password, as well as an 8-digit two-factor authentication backup code.

Once they have all the data, hackers can easily hack into the victim's account and quickly change the information to take control of that account.

Despite many signs of fraud such as suspicious sender addresses, links to fake websites, sophisticated design of phishing pages, and a sense of urgency..., hackers are still able to fool a significant number of victims.

Two-factor authentication backup codes are considered especially important information, allowing users to recover their accounts when standard login methods become unavailable, such as due to a change in phone number or loss of access to email.

It is important that users are clearly aware that two-factor authentication backup codes are intended for emergency account recovery purposes only and that it is unsafe to enter them at unverified interfaces.

After analyzing the attacks that have occurred, security experts concluded that attackers are very flexible in adapting their methods to new security technologies on all social platforms. However, those who always follow strict security rules will protect themselves from this method of fraud.