vpnMentor security researchers exposed a Facebook scam that compromised 13 million records. The security researchers found an unsecured Elasticsearch database which contained 5.5GB of personal information of users who also fell for Bitcoin scams.
Security researchers at vpnMentor have discovered an extensive scam operation that involves over 13.5 million data records of around 150,000 to 200,000 Facebook users across the world. The compromised data, amounting to 5.5 GB, was harvested by tricking Facebook users into registering on a spoofed website. The harvested data was then stored unencrypted on an Elasticsearch database.
The unsecured database was discovered by the research team at vpnMentor. The VPN service provider hasn’t shared any details on how exactly users came across these 29 sites. The firm said, “The websites tricked Facebook users into providing their login credentials by promising to show them a list of people who had recently visited their profiles.â€Â
Source: vpnMentor
Clicking the ‘Open List’ button on this bogus website redirected users to a Facebook login page as shown below.
Source: vpnMentor
Users who entered and submitted credentials were redirected, first to a fake loading page, and then to the Google Play page of a Facebook analytics app, while their credentials were stored in the unsecured Elasticsearch database.
See Also: 36 Billion Data Records Exposed (So Far) in 2020: Risk Based Security
Once the operators got hold of user credentials, they would log in and post comments from those accounts that contained links to another set of fake websites masquerading as legitimate Bitcoin trading platforms.
Thus, the scam operation grew exponentially between June and September 2020 — before the databases were wiped clean following a Meow cyberattack, which happened immediately after it was discovered by vpnMentor.
The 5.5 Gb of stolen data discovered by vpnMentor contained the following:
- Facebook login credentials (usernames and passwords) of 150,000 to 200,000 user accounts
- Comment text outlines which the scammers posted from hacked Facebook accounts
- Emails, names, phone numbers, and other Personally Identifiable Information (PII) of hundreds of thousands of people who had registered on fraudulent Bitcoin sites, which were also run by the scammers
- Domains of the websites used in the scam
- Technical information on the scam process automation
Scammers were clever in carrying out this operation by mixing links to the Bitcoin scam sites with other fake and legitimate news sites to avoid detection by Facebook’s fraud and bot detection tools.
When Facebook users clicked on a fake Bitcoin trading site, they were directed to sign up for an account and pay €250 in registration fee. So, besides data theftOpens a new window , users also fell for cryptocurrency fraud.
The 29 fake sites for stealing credentials are:
| Fake Websites | ||
| askingviewer.com | stalkers-ever.com | viewingaway.com |
| capture-stalkers.com | stalkers-unlimited.com | viewingpeople.com |
| followviewer.com | taskviewing.com | viewingsmart.com |
| hugeviewing.com | thinkviewers.com | viewingstar.com |
| incredibleviewer.com | vectorviewers.com | viewingvisit.com |
| letsviewing.com | viewersrate.com | viewstanding.com |
| personviewer.com | viewerstart.com | viewstarter.com |
| quickyviewer.com | viewinall.com | viewvisitors.com |
| rightviewing.com | viewingage.com | Visitorsviewer.com |
| stalkerfight.com | viewingaround.com |
Â
vpnMentor also found hundreds of domains related to the Bitcoin scam. Some of these are listed below:
| Bitcoin Scam Sites | ||
| tthrsw.com | Go.gamesadar.com | Play.realfreegames.net |
| Basure-behorus.com | Host.healthysystems4u.com | Web.2secondsurvey.com |
| Castalks-caryback.com | M.tracktechs.net | www.sexylaid.co |
| Cz.superiffy.com | Milical-bressorts.com | |
| Clks.yourtopoffers.com | Ninvite-implace.com |
Â
vpnMentor said theyOpens a new window found evidence that the fraudsters were already successfully trapping people in their Bitcoin scams before the database went offline, even before the June-September window. The database initially contained 11 GB of data, a quick search of Shodan revealed (a search engine built for security professionals). However, this was deleted by the time vpnMentor researchers discovered it.
The exposed data puts users at risk of phishing and credential stuffing attacks. Facebook users who think they may have been compromised under this scam should change their credentials without delay. vpnMentor said, “If you reused your Facebook password on any other accounts, change it immediately to protect them from hacking. We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically.â€
Was this news helpful? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!