Many of us believe in and follow the proverb, “A friend in need is a friend indeed.” While it is good to help out your friends when they need you, but not when the requests come through Facebook.
Researchers at Access Now, an international non-profit organisation which looks into issues affecting open and free Internet, recently discovered a new phishing scam that abuses the “Trusted Contacts” feature on Facebook and tricks you into handing over your credentials to the attackers.
For those unaware, Trusted Contacts is a recovery feature created by Facebook, which allows you to choose 3-5 friends who you trust to help you gain access to your account if you forget your password or your account is locked.
According to a public security alert published by AccessNow, the phishing attack is carried out by someone who has already taken over the Facebook account of your friend. The attacker sends a message saying that he/she is having difficulty in accessing the account and asks you to check your email to verify a recovery code and share with the attacker, as you are listed as one of his/her Trusted Contacts on Facebook.
At this point, they try to log into your account using the “Forgot my password” button. The idea is that when you check your email to get your “friend” information, you end up passing the password recovery code of your own Facebook account to the attackers, thereby granting them access to hijack your account.
“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s Trusted Contacts feature,” Access Now warns.
“So far we’re seeing the majority of reports [falling victims to this new Facebook phishing scam] from human right defenders and activists from the Middle East and North Africa,” Access Now added.
The best way to keep yourself safe is to contact the person and check if he/she has genuinely sent you a recovery message or email asking for help. Also, it is worth remembering that when you get locked out of your account, your “Trusted Contacts” don’t just send you a recovery code — each of them send a part of a recovery code. In order to get back into your account, you need a part from all of your Trusted Contacts that you have chosen. Read more on Trusted Contacts by clicking here.