- Facebook, LinkedIn, Social Media, Social Networking Sites
- Blik Fraud
- Messenger
Have you ever thought about checking if your social media accounts are properly secured?
Terms like multi-factor authentication might leave you with questions: what is that? Why is it necessary? It's not for me, I'm not a programmer.
Most people who use social media recreationally don't feel the need to ensure security. After all, Facebook takes care of keeping my data safe.
“They hacked my Facebook? So what. It’s just a time-waster. I have more important things to worry about.”
How wrong this thinking can be will become clear when the virtual world meets reality, and one day the police knock on your door.
Read our client's story to ensure your safety always and everywhere.
A Friday evening for Piotr would have been another relaxing start to the weekend after a hard week at work, if not for a short SMS: “Dude, why do you need that money???”
A quick call to a friend revealed that the friend had received a request on Messenger from Piotr asking for 400 PLN via Blik. Within a minute, messages started coming into Messenger from other friends asking questions like: “What’s going on?”, “I don’t have Blik, can I transfer quickly?”, “???????????”, even from his wife: “What’s this about now!?”. The strangest thing was that there were no messages sent by Piotr on Messenger.
One of Piotr’s acquaintances, whom he didn’t even like, transferred 1000 PLN in good faith. It was a Friday evening, a party celebrating the birth of a son, so it was understandable.
The money went, among other things, to a so-called “money mule”. A legitimate company selling on OLX, which was expecting payment for a used iPhone, received the money via Blik from Piotr’s friend. And there were likely many other sellers with goods sent “anonymously” to parcel lockers that could be quickly sold at a pawnshop.
A commotion ensued, as from the perspective of those defrauded via Blik, the money was sent by Piotr, and they would demand reimbursement from him. After all, he can’t deny being the owner of the Facebook account from which the messages were sent on Messenger. It might be difficult to prove that it wasn’t Piotr who sent them. The hacker’s logins came from a mobile internet connection within Poland—at first glance, it appeared that Piotr was logging in from his mobile phone.
Piotr used the same password for “one-time” logins everywhere. It might have been exposed in one of the many recent breaches, including from an e-commerce site of a major furniture manufacturer that had reset all passwords two days prior.
The malicious actor used automated scripts to check these credentials across all popular sites and social networks. They found, among other things, Facebook, where there was a solid list of active users on Messenger on Friday evening.
After logging into Facebook, the hacker checked if Piotr was active. He wasn’t. So the hacker launched another automated tool that, posing as Piotr, sent requests to all Facebook friends with Messenger for:
- A loan via Blik
- Payment via Blik for an order, “I’ll pay back after payday”
- An urgent “Blik transfer” because the bank is down... the card at the station was rejected, I’m at the checkout and don’t know what to do?
- A message to mom: “Hi! Did you know that we have a joint bank account with Kasia? I want to surprise her and buy a voucher for wakacje.pl, so she doesn’t see the transfer in the history. Will you pay for me, and I’ll repay you when we meet?”
- A link to “pay for an auction” which, when clicked, collects bank account details
- A link to a post on a social media site requiring login, thereby stealing data (and allowing for hacking another victim using the same scheme)
Additionally, the automated tool immediately deleted sent messages so Piotr wouldn’t suspect anything.
During the whole operation, the hacker also sent an email to Piotr, demanding “800 PLN in Bitcoin” to stop the entire operation and not sell the private message data.
Piotr kept his composure, called friends, and through a good buddy, reached out to us. It’s true, some people party with friends on Friday nights, others with programming code… and there’s a third group working in cybersecurity and on call on Friday nights… :)
“Mitigation,” meaning removing the threat and limiting damage, was handled very efficiently.
When my kids ask what my job is, I say, “anti-hacker,” a bit like a computer doctor and a bit like a detective. From the doctor side, I need answers to my questions honestly, without embellishment. If you want to heal your social media account, don’t hide that the password was easy to guess and you used the same one everywhere. We don’t judge; we know the world isn’t perfect.
A quick action on recovering the password, mandatory logout from all devices, and enabling 2FA got Facebook under our control. Removing the hacker was quick and efficient because the adversary wasn’t demanding, using a known, automated scheme.
The more challenging part was the so-called damage control. A Facebook account, which may seem like a modern virtual “toy,” can become a real problem.
First and foremost, we had to ensure that all potential victims were informed that Piotr was not attempting to defraud data and money.
There was a risk that Piotr might be officially accused by the victims of data fraud or causing unfavorable disposal of property. Therefore, it is wise to gather documentation, even something as basic as screenshots, and report the break-in to the police. It’s useful to have an official record for future reference, regardless of whether the perpetrator is identified.
Fortunately, the Messenger conversation history accessed by the hacker did not contain sensitive data (or evidence of marital infidelity...). So there was no incentive to blackmail Piotr. Essentially, the interaction with the hacker ended there.
However, it is important to remember that many companies use social media profiles to communicate with customers. If a customer sends a private shipping address for a product being returned or repaired via Messenger, it becomes a GDPR incident that needs to be reported to the Personal Data Protection Office. The Office won’t look favorably on the absence of 2FA for social media account logins or a lack of password policies.
What’s the scale? We checked the Bitcoin wallet provided by the hacker; many people paid the “ransom.”
It’s also worth noting that, just as there are specialists like Inveo providing platforms to enhance data security (e.g., our proprietary platform On Secure), there are also legally operating companies issuing invoices that provide hackers with platforms for conducting automated attacks on a mass scale.
Just one in 1000 passwords working is enough. On the day of writing this know-how, 31 million new records with access data were added to breach databases worldwide…
including 1.5 million from Polish e-commerce.
Curious about how much a hacker can earn? Check out our preview calculator.
Did a hacker get into your account? Find out how to get rid of them...
How UnitScore 24/7 Can Take Care of Your Data Cybersecurity
- Immediate notifications as soon as your email or encrypted version of your password appears in breach databases (we do not store your passwords!))
- At the Identity Protection Center 24/7, we gather information on which social media platforms are associated with your emails. If someone has created an account using your data, we’ll know about it.