Brunswick County is booming! But could that be putting a target on it’s residents back? There is no doubt there has been a major uptick in scam attempts in the Brunswick County and the New Hanover County area. But what do they look like and how can you recognize them? In this article we will be showing a real life example of one that we came across randomly in some local Facebook groups. We believe by documenting and spreading awareness on these subjects we can help combat cyber crime and reduce the number of victims through outreach and awareness campaigns.
Who, What, When Where, Why, How?
A White Hat Web Solutions staff member came across a phishing attempt multiple times in local Facebook groups. The staff member instantly recognized the attempt, reported it and safely followed the trail behind the fake pages intended to steal users' Facebook login information. Safely accessing the links from the phishing posts, this White Hat Web Solutions staff member documented their efforts to track down the person behind these phishing attempts. While a full report is only available to proper law enforcement channels per request, we have put together an informative, visual article with real screenshots from the phishing attempt to better educate people about these sorts of scams visually.
Spotting The Dangled Bait
Running social media accounts for clients you come across a lot of.. interesting stuff. What we happened to come across this time specifically is multiple phishing attempts in a few different local Brunswick County Facebook groups. Scary! What is phishing exactly? Phishing is the practice of creating and using fake log-in pages resembling reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Sounds crazy right? Well it happens, and here is just one example!
You're scrolling through your Facebook feed quickly for a minute when you come across a post that catches your attention. And it is meant to do exactly that.
Picture 1 is a screenshot of the first real phishing attempt we came across. Found in the wild, on Facebook mobile, in a local Brunswick County group. We immediately reported the post to both Facebook and the group's admin. Here is that post:
Something smells.. Phishy..
Within the first few sentences it can have your heart racing, you're hooked! It sounds so awful! This is in a local group! It must be at a store I go to! There is no way! I am afraid now! We must find this guy from the video! Let me see if I know him…
It happens fast. It is designed that way. Like an evil marketing trick, catching your attention right away, hooking you, then reeling you in. Your Facebook account now belongs to some shady actor only God knows where. And you might think you would notice if your Facebook account has been hacked? You would be surprised. It is unlikely everyone would notice it right away. And this cyber criminal who now has full access to your Facebook account isn’t going to do anything crazy with it. No, more than likely they are going to be as quiet as possible. They are not going to change your profile picture to a picture of a clown or change your bio to something childish or even change your password and lock you out.
Nope, usually what happens is these bad actors quietly repeat the process. They create a phishing bot net of sorts, maybe without the bots, that will use hacked accounts to target, phish, and steal the credentials of other accounts. There are many reasons why these nefarious characters would do such illegal activities. But that is a post for another time, let’s talk about awareness, spotting and avoiding these sorts of hacking attempts.
As you can see they use an emotionally charged post to catch the attention of possible victims. They provide a shortened url link to try and help mask the destination before you click it. While this is most definitely effective on mobile, on desktop generally, if you hover your mouse cursor over the clickable link WITHOUT clicking, in the bottom left hand corner of your browser it will display the actual url destination you will be arriving at if the link is clicked. This might not always work on every browser but it is one way to quickly check and see if you are being duped.
Bait taken, reeling the line in!
Their next move after posting this was to make a “Call to Action" type comment on the post and then immediately turn off commenting on the post. Now Call to Action in marketing speak, is a term for a design to prompt an immediate response or encourage an immediate sale. A CTA most often refers to the use of words or phrases that can be incorporated into sales scripts, advertising messages, or web pages, which compel an audience to act in a specific way. So they captured your attention and got you going with the post, then they drop a CTA in the comments and lock them so no one can ask questions or warn others about the post.
A screenshot of the full post with the added comment is here Picture 2:
Second Attempt Noticed!
A day or two goes by after we reported the first phishing attempt we came across when we came across another phishing attempt! In yet another local Facebook group, this one actually being smaller and more private which is an interesting antidote, but anyway, it was the same exact post, but the person posting was a different person! We had to dig deeper now! You caught our interest.
Here is a real screenshot of the second attempt labeled Picture 3:
Now let’s say you accidently click the link, you are so worked up by the content of the post that you need to see that video and help catch this evil person in your community! So you click the link and head down that road. Let’s see what that would look like. But before that we must issue a warning here:
WARNING!
We DO NOT EVER recommend clicking or following these types of links if you think they are suspicious! If you are unsure or if you think a post/link is suspicious, report it, and leave it alone! You should never click unknown and suspicious links as websites can sometimes contain malicious scripts that can be injected through just simply visiting a url. Please do not try to copy what we do in this article and do not try to trace these phishing attempts unless you have the proper knowledge of the tools and technologies to do so safely. While a full report is only available to proper law enforcement channels per request, we have put together an article with real screenshots from the phishing attempts to better educate the public about these sorts of scams visually. If you attempt to copy or recreate any of our attempts you do so at your own risk and we cannot be held responsible for any outcomes or damages.
Following the phishing line
Now, let’s say you have hypothetically clicked that malicious link that was put there to steal your information. What happens next? The answer here isn’t always the same. Practices and execution change instance to instance. There could be a group that has one way of doing things or it could be a lone actor that knows another. Sometimes there's just no telling, but what you can do is educate yourself so you have less of a chance of becoming a victim!
Here is the first page that comes up when you click the link in the Facebook post. Here is a real screenshot from the webpage that came up if you clicked that link attached as Picture 4:
That doesn’t look so bad right? Wrong! I know it has what looks like a youtube video with a graphic warning as a thumbnail. But it is actually just a picture with a href link in the html that makes it clickable to redirect you to another URL. Check the address bar at the top of the browser and see what website you are on. Notice in the above picture labeled Picture 4 the url in the address bar is both not youtube or Facebook? Some won't even notice this. Their natural instinct is to hit the play button. They want to watch this video as fast as possible. Don’t forget, we are emotionally charged right now, there is a crazed man on the loose in our community! So you click the youtube video to play it, but instead it brings you to another page.
And what is this page? This is what seems to be a Facebook login page. Darn! You were so close to watching that video, helping catch that criminal and keeping your community safer! You think to yourself, my phone must be acting up, you must have left Facebook, went to where the video is but now the stupid browser signed you out or something, let me just log in quickly to finally watch this darn video!
Here is screenshot of the actual credential stealing page attatched as Picture 5:
Again check the url of the page in the address bar of your browser. You will notice on the picture above labeled picture 5 it says in the address bar of the browser we were using at the time was “https://foxnews.*********.net/". That is clearly again not Facebook or Youtube. Some won’t pay it any attention and to an untrained eye in an emotional state it might sound ”legit” enough to click, I mean it does say Fox News right? Again, wrong!
The end of the line!
Here is where the actual “Phishing" happens. With this page on the screen in front of you, you are staring directly at the hook. Sharpened, tied to a line and being ever so carefully dangled in front of you through a small click funnel with an emotional post sitting so deliciously on the end of the hook as bait.
You have come so far and there is no turning back now! You decide to sign into what you think is “Facebook". You put your email in, then your password and click sign in. “Login successful" pops up, finally something worked! The page loads, a video pops up, yes finally the video you’ve worked so hard to see! You're going to ID this criminal, collect the reward and be a rich hero! Sometimes if it seems too good to be true, it is.
Awesome, it’s loading, any minute now… But it doesn’t load. The little circle keeps turning, you think it's loading. Maybe you refresh 12 times. Maybe you go back and repeat the process. But the video never loads. Why? Because there is no video. On the very last page, as your reward for entering in your Facebook credentials, you get a GIF. Yes, a GIF. A never ending loop of a loading screen. It even says it in the url in the browser address bar that the file you are currently viewing is a GIF. Shown here as Picture 6:
This nefarious hacker now has your login information. There is so much they could do with it, which we will cover in an article coming soon, but for now, more than likely, they are going to use it to expand the amount of hacked accounts they control.
A lot of this all comes back to the address bar no? Being aware of your surroundings online is just as important to your safety as being aware of your surroundings in public, especially nowadays when so much of our information, data and lives are on the internet.
Prevention and Tips on Prevention
Now that you have seen and been walked through a real life phishing attempt, you might wonder how you can help prevent yourself from falling victim to this type of thing. Well the first step and in our opinion, and the most important is education! Exactly what you are doing right now by reading this article. Great job so far! Educating yourself on these sorts of things is the best way to prevent them from happening to you. Our next suggestion is practice being more aware. Like making it a habit to check the URL before you click it.
Another tip to check links before you click them that usually works on both mobile and desktop is:
Right click the questionable link or long press on your phone, sometimes it will display it right then and there but if it doesn’t, click the copy link button, go to a text pad and paste it. Is it the link you were thinking of? Maybe, maybe not. But you are learning to be safer. This is especially helpful if you are trying to do your due diligence in checking out a link and you can’t highlight it or get a link preview to come up. Other than that if you are unsure of something, don’t click it and scroll away from it!
Conclusion
We genuinely hope you have found this article interesting, informative and educational. As we said before, we believe by documenting and spreading awareness on these subjects we can help combat online cyber crime and reduce the number of victims through outreach and awareness campaigns.
Please like and share this article to help spread awareness and educate others to improve overall online safety. If you would like to read future posts from White Hat Web Solutions please like and follow us on our socials for updates!
Important Information!
What To Do if You Responded to a Phishing Email
If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.
If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.
How To Report Phishing
If you got a phishing email or text message, report it. The information you give can help fight the scammers.
Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org.
If you got a phishing text message, forward it to SPAM (7726).
Step 2. Report the phishing attack to the FTC at ReportFraud.ftc.gov.