Attack analysis of my mom's Facebook account

Recerntly, my mom's Facebook account was hacked. I want to discover the process of discovering the attack, how it's done and what we do to prevent it. I think the last part is particularly important as measurments accepted by my mom should be accessible to everyone.

The case is simple. But a good example of what happens the most often. Not the most sophisticated attack on the most important people. But simple attacks and the damage it can do.

Discovery

Morning 8 AM. my mom asked me about an email from Meta with an invoice attached and if it's a scam. This is weird since Google shold filter most of the spam emails. First question I asked myself was "is the email really from Meta?". Yes, it's from facebookmail.com which is in fact listed on Meta's support page. Well.. SMTP ain't the most secure protocol invented, maybe this is a new spoofing attack? From Meta? That's gonna be big. No, it's not spoofing. DKIM looks good and links on the email are pointing to facebook.com and meta.com directly without weird query parameters. It can't be their pages getting hacked. Maybe phising + a new punycode attack? Can't be that either, browsers have decent policies on the URL bar. Now I'm curious.

Looking into her email history, She has been getting emails from Meta, from the same domain since October 1st. "That ain't right for phishing" I thought. My thought switched, the more likely explnation is her Facebook account have been compermised. "If that's the case we should damage control immidately and solve issues later" I thought. She gave me permission to use her Facebook app on her phone. Logged it, I go to Settings & Privacy > Settings > Accounts Center > Password and security and looked for suspecious devices. There is one that we don't recogize. It is immidately removed. I don't blame Facebook from not noticing this abnormal activity. It's from a city near where she works, on a Windows computer (but she only uses Facebook her phone).

Attack timeline

Now I have to take back control of her account. This is where trouble starts and I actually find how pacience the attacker is. The attacker have blocked every method of recovery and deleting their advertisment from the account. They have changed her password and added their email as a higher priority email. With this setup, I cannot reset her password as reseting password requires access to the email and changing passwords needs the current password. I can't even delete the account as it requires the password. F**k. We'll have to rely on Facebook support for this one, but my hopes are not high.

However, I do manage to piece together the attack timeline and the attacker's intentions through account events.

• 2024-04-29: Attacker first logged in from a computer, by guessing a weak password. And took away admin rights from my mom's account.
• 2024-09-01: Attacker opened a new facebook page and added it to my mom's account. Added their VISA debit card for payment. Starts running ads and selling fake products.
• 2024-09-XX: Facebook figured out weird activity and suspended advertising.
• 2024-10-01: Facebook started sending email for failed payments (the VISA card was blocked).
• 2024-10-08: My mom asked me about the email and we discovered the attack.

That 4 month gao between the first login and the attacker doing anything is interesting. Why?

Reinforcing for important accounts

So while still trying to sort out the Facebook account. We had to take percussions since she is using a weak password across multiple accounts on different websites. The most immediately important one is her Google/Gmail used for everything. It was early in the morning and she had to go to work soon. I did the minimal amount of work to ensure and prevent her Google account from being compromised. Login devices and locations are checked, good news that there is no unknown devices. I enabled both SMS and added Google Authenticator for 2FA. Showed her how to login with Google Authenticator and how it pervents from attackers. It sit well with her surprisingly. She is able to setup TOTP 2FA on her own!

I wasn't sure if I should ask her to change all her passwords. Luckly she asked me if she should and she says she have been using Google's password manager. "Nice!" I thought. I had to explain that changing passwords in Google's password manager doesn't change the actual password on the website. She had to manually change the password on the website then update the password manager. But she is quite ok with using long, unique and random passwords for all acconts. Finding some time during work to change passwords. Also she is quite ok with copy and pasting passwords from the password manager. I'm happy with the outcome.

It's not the best I can do. But short of giving her one of my backup Yubikeys, I think it's the best I can do in a short time. And TBH, good enough for most people.