Access Now, an international non-profit organisation which looks into issues affecting open and free Internet, has published a report in which it warns users of a growing phishing attack on Facebook. For the new attack, the report notes, attackers are targeting Facebook's 'Trusted Contacts' feature.
Fraudulent minds are fooling innocent users into sharing their password reset code, Access Now reports. So here is how it goes: there is a feature on Facebook called Trusted Contacts which lets a user declare a couple of their friends and family members as people they would rely on in case something goes wrong with their account. For whatever reason when this user ever loses access to their account, these trusted contacts would vouch for this user to help him get the account back.
This is at the centre of what appears to be a growing phishing attack. But before we get into how attackers are able to trick innocent users, it needs to be pointed out that this chain of attack is contingent upon the bad guy already having access to one of your friend's accounts.
Attackers are getting in touch with their "trusted contacts" on Facebook after gaining access, saying that they cannot gain access to their account. But because these people are trusted contacts, they should be able to help these poor fellows regain access to their account, Access Now adds. When they have gained the trust of their contact, they go to Facebook and request the service to reset the password (using the "I forgot my password" button on login page) of one of the trusted contacts.
The person, who is one of the trusted contacts of the attacker, receives an email with a code. What the trusted contact doesn't realise is that the code he or she is sharing is not to help their "friend" regain access to the account, but to reset the password of their own account.
Once the attacker has received the password recovery code, they quickly gain full access to their trusted contact's account. And so continues the chain. Now they will message this trusted contact's trusted contacts.
Access Now says that if any person is asked by their friend for any such code, they should place a phone call to that person to ensure that they really need help.