Phishing on Facebook – Angler Phishing

This is an actual Angler Fish. Yes it is a real fish, but not the kind we are talking about. Somehow very appropriate though.

Cyber-criminals are masquerading as customer service sites on Facebook, luring disgruntled customers to their Facebook page in order to trick them into divulging their user name, password, and other personal information.  This is called “angler phishing.”

The way this usually works is this.  Let’s say you have a bad experience with your bank.  Then you write and post a negative comment on Facebook or Twitter about bad service you received at your bank, for example.  A cyber-crime crew will be searching Facebook for negative comments about the same bank, and direct you to a Facebook Customer Service page they have set up to impersonate the bank in question.

They will be very apologetic and solicitous, and guide you to a link to connect you with a “customer service agent.”  While this chat is progressing, they will also install malware on your computer, possibly a remote access Trojan, banking Trojan, or keylogger.  There may also be a form to capture you login and other personal information such as your name and address, social security number, bank account number, and the answers to your secret questions.  They may even offer to help you “set up security” on your account in order to get this information from you.  The ultimate goal will be to get your log-on credentials in order to access your bank account and transfer funds out of your account.

Understand that this cyber-crew may have fake Customer Service pages for many popular companies, so the approach will not necessarily come from a bank, it could be from your “Internet service provider” or your “cell phone carrier.”  They set up imposter site for companies with a bad service history, and hundreds or thousands of customers, and just wait for the hot post from a disgruntled customer.

The best protection against this exploit, as is with so many social engineering exploits, is awareness and skepticism.  If you really want to record a complaint with a company, go to their website directly by typing in the address or using your own browser bookmark.  Anyone proactively reaching out to you should be assumed to be an imposter until you can prove otherwise.  Be careful on your social networks, not everyone is as friendly as they may seem.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.