Tag Archive for: facebook

Oops! Meta Security Guards Hacked Facebook Users

/in


Facebook parent Meta has disciplined or fired at least 25 workers for allegedly hacking into user accounts. Some of the workers were contract security guards, we’re told.

Wait … disciplined or fired? How were they not all fired? And prosecuted? And how come security guards have access to Facebook’s internal account-recovery tools?

All these questions and more will be asked in today’s SB Blogwatch. Please tell me it’s the weekend tomorrow.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hello there.

‘Oops’ not Even the Half of It

What’s the craic? Kirsten Grind, Robert McMillan, Salvador Rodriguez and Jim Oberman tag team to report—“Employees, Security Guards Fired for Hijacking User Accounts”:

Workers accepted thousands of dollars in bribes
Meta … has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes. … Some of those fired were contractors who worked as security guards [who] were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts … known internally as “Oops.”

Oops, an acronym for Online Operations, is supposed to be fairly limited to special cases, like friends, family, business partners and public figures, but its usage has climbed. … In 2020, the channel serviced about 50,270 tasks, up from 22,000 three years earlier.

In some cases workers accepted thousands of dollars in bribes from outside hackers to access user accounts. … Because so many people depend on social media for their businesses, or to manage critically important aspects of their lives, gaining illicit control of an account can be lucrative.

And Aaron Mok runs amok—“Meta reportedly accused dozens of workers”:

Some of the fired workers denied the accusations
As part of an internal investigation, Meta executives reportedly found that some employees were abusing Oops by working with third parties to gain unauthorized access to accounts in exchange for tens of thousands of dollars. … Meta fired dozens of…

Source…

Hacking Tools, Stolen Credit Cards Advertised on Facebook Groups

/in


(Bloomberg) — One user offered hacking services, both ethical and not. Another claimed to be able to change school grades. And several others peddled stolen credit cards and IDs.

Such illegal products and services have long been offered on the dark web, a murky section of the internet that’s populated with illicit forums. But these offers were being made on Facebook, despite repeated efforts by the social media giant to curb illegal behavior on its site.

A Bloomberg News analysis found more than 45 groups and pages — with more than 1 million combined members — where the spoils of cyber crimes and the tools needed to carry them out were offered for sale. Some of the sites were revealed by Facebook’s own discovery mechanism, which recommends groups based on those who have already joined, but Bloomberg discovered others through keyword searches and referrals from other groups. 

Among the most common were hacking-for-hire services, with 11 of the groups and pages specifically dedicated to facilitating the practice, including three with more than 100,000 members. Those groups averaged between 12,000 and 18,000 posts per month, according to data from the Facebook-owned analytics platform CrowdTangle. One tool, listed on a group called Hacker Hub, promises to deliver credentials for popular social media sites and victims’ financial information. 

Alexander Leslie, a researcher at the threat intelligence firm Recorded Future Inc., said the volume of illicit offers on Facebook “way, way overshadows what we see on the dark web in other forums that deal with similar content.”

While hardly definitive given Facebook’s massive size, the Bloomberg analysis indicates the social media platform’s efforts to stop illicit behavior haven’t kept pace. The company now known as Meta Platforms Inc. removed the content in question when reached by Bloomberg News. 

“We take significant steps to stop criminal activity on our platforms and have removed this content,” a spokesperson said via email. “We invest heavily in technology to tackle illegal content and we encourage people to report activity like this to us and the police, so we can take action.”

Since its earliest…

Source…

Meta Flags Malicious Android, iOS Apps Affecting 1M Facebook Users

/in


Facebook is contacting about 1 million users of its platform about their account details potentially being compromised by malicious Android or iOS applications.

In a blog post on Oct. 7, Facebook’s parent company Meta said its researchers had detected 400 malicious Android and iOS apps over the past year that were designed to steal usernames and passwords belonging to Facebook users and to compromise their accounts. The poisoned apps were uploaded to Google’s and Apple’s app stores and masqueraded as legitimate games, VPN services, photo applications, and other utilities.

When users downloaded and attempted to use one of the malicious apps, it would prompt them to enter the user’s Facebook username and password. If a user entered their credentials, attackers would gain full access to the individual’s account, private information, and their friends on the social media platform, Meta said.

“This is a highly adversarial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” David Agranovich, Meta’s director of threat disruption, and Ryan Victory, malware discovery and detection and engineer, wrote in the blog post. 

Meta reported the apps to Apple and Google, and the researchers noted, “We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials and are helping them to secure their accounts.”

Posed as Legitimate Apps

Many of the iOS and Android apps that Meta detected on Apple and Google’s mobile stores purported to have some fun or useful functionality, like music players and cartoon image editors. A plurality (42%) posed as photo editors, some of which claimed they could turn a user’s photo into a cartoon. 

About 15% purported to be business utilities, such as VPNs that claimed to help users access blocked content and websites or to boost their Internet browsing speeds; 14% were phone utilities, such as flashlight apps that purportedly helped brighten the phone’s flashlight. 

Mobile games accounted for about 11% of the 400 or so malicious apps that Meta’s researchers discovered. Fake reviews might have…

Source…

Malware Apps May Have Stolen The Passwords Of 1 Million Facebook Users, Meta Says

/in


As many as 1 million Facebook users were targeted with Android and iPhone malware apps that tried to steal their passwords, according to a report released by Meta on Thursday.

The malware, detected across the last year, masqueraded as various kinds of app, including fake photo editors, virtual private networks that claimed to boost browsing speeds and get access to blocked websites, mobile games, and health and lifestyle trackers. Some promised to turn the user’s face into a cartoon, while others provided horoscopes. Some of the apps made it through Apple and Google security and onto the tech giants’ official app stores, though Meta didn’t specify which ones.

The modus operandi of the malware was simple phishing, said David Agranovich, Meta’s director of threat disruption, during a press briefing on Meta’s report. Most of the apps asked for a Facebook login to use the app, which is typical of many apps. But in the background, the usernames and passwords, along with any two-factor authentication codes, were being sent to the app developers, who were looking for illegal access to Facebook accounts and nothing more, Agranovich said. “Our sense here is that this wasn’t kind of a specific geographically targeted thing. This was more an attempt to just get access to as many login credentials as possible,” Agranovich added.

Agranovich suggested that users should be wary of apps that require you to log in to Facebook to gain any functionality. “If a flashlight application is requiring you to login with Facebook before it gives you any flashlight functionality, there’s probably something to be suspicious of,” he said. He said reviews that repeatedly called out an app as a scam also provided a clue as to the legitimacy of the app.

He said that Meta would be warning 1 million users if they had been exposed to the apps in some way, though the company couldn’t definitively say whether or not all those users…

Source…