Search

Artists Beware of Fraudulent Buyers


The Incident

Phishing is the tactic used by scammers to steal private information from unsuspecting individuals. Unfortunately, this week one of the members of a Facebook group that I admin was victim to such an attack.

  1. Scammer sent a text inquiring about the Cathy's artwork. The text included a link.

  2. Cathy clicked on the link which took her to a login page that mimicked Facebook's logging page. She entered her username and password.

  3. The scammer proceeded to purchase paid Facebook ads ($100+) on her account. This was an ad for a car. Some of you may have seen it. The ad instructed the user to enter information.

  4. Cathy was locked out of her account multiple times.

  5. Unfortunately, people who clicked on the fraudulent ad left bad reviews on Cathy's business Facebook page.


Text that Cathy received. DO NOT go to the link in the text.

Fake Facebook login page.

Advice

  1. Links in texts from people who you don't know (even potential clients). If you're unsure, hover over the link and see what url shows up in the bottom left corner. For example, in the case that happened this week, the link did not have a Facebook domain (facebook[.]com).

  2. Prompts to enter your login information into forms based on texts or emails from people you don't know.

  3. Messages with a sense of urgency like 'Click on this link before this expires.'

  4. Typos in messages.

  5. Facebook ads that appear too good to be true.

What to do if you are victim of a phishing scam

  1. Change your Facebook password immediately. Instruct Facebook to log out of all other accounts.

  2. Contact Facebook to indicate that you suspect a phishing attack. This is important for recovering any monetary losses.

  3. Check your Facebook settings to see who has logged into your account.

  4. Enable two-factor authentication which sends you a code whenever you log in to your account.

  5. If you used the same password on another site, change that password immediately at the site. Many people use passwords across websites. This is not recommended. You should use a different password for every account. If you're having problems remembering passwords, consider using a password management like Keepass or 1Password.

  6. If you used the same password for something like your bank, contact your bank immediately to ensure that a monitor is placed on your account.

  7. Use a payment option like PayPal for online transactions instead of your bank account. Limit the use of debit cards connected to your savings account for online transactions. In this case, the artist was able to get a refund from PayPal for the malicious transactions.

  8. Report the attack to the FTC. Again, this will be useful for creating your fraud case.

Technical Information

I dug deeper to see if I could find more information about this malicious individuals. Here's what I found:

  1. The scam originated from ip 198.54.126[.]154. This is a NameCheap domain registered to someone in Phoenix, AZ. This ip is associated with multiple domains in the last few days.

  2. The login page that Cathy entered her information was a simple HTML form. I am still trying to figure out where the information was sent.

  3. The scammers used a cross-site scripting (XSS) attack involving Javascript trustedType object.

urlscan.io page indicating that this is a malicious site.
Another domain from the same scammer.

Just a simple HTML form. This proves that the form she used was a spoofed Facebook login page.



Registration information for the url showing that it is NameCheap hosting. The scammer did not enter an actual person's name. I am not sure if the hosting address is legit since there is another hosting company in that building.


This is the address on the registration.



21 views0 comments

Recent Posts

See All