Facebook Small Business Grants Spark Identity-Theft Scam

facebook small business grants

The cybercrooks spread the COVID-19 relief scam via Telegram and WhatsApp, and ultimately harvest account credentials and even pics of IDs.

Cybercriminals are exploiting a $100 million Facebook grant program designed for small businesses impacted by the pandemic, to phish personal information and take over Facebook accounts.

The perpetrators are trying to dupe people into thinking that the social network is handing out free money to any user affected by COVID-19, according to a Kaspersky analysis. It’s using messaging platforms to proliferate.

“This is an attack that was caught propagating via messengers, such as Telegram,” Vladislav Tushkanov, senior data scientist at Kaspersky, told Threatpost. “This seems to be a common trend – we even see some attacks where after asking for your private info, the perpetrators ask you to forward the scam link to your WhatsApp contacts (e.g. ‘to spread awareness about these benefits’).”

Despite the “must be too good to be true” aspect of the game that should tip most people off, the cybercriminals are taking steps to make the offer seem legit.

“Samples detected by Kaspersky indicate that potential victims viewed an article appearing to come from a prominent media outlet [CNBC] and were prompted to follow a link to apply for the grant,” researchers explained, in a Tuesday post. They pointed out that there is in fact, a real CNBC article about coronavirus-related Facebook grants, but the legitimate program is for small businesses, not individuals.

The bogus CNBC article. Source: Kaspersky

If people were sucked into clicking the link, they were taken to a phishing page and asked to enter personal information, even including a scan of both sides of their ID.

“First you’ll be asked for your Facebook username and password,” according to Kaspersky. “If you enter them, they’ll go straight to the cybercriminals. Then, to accept your application, the site requires a lot more information, supposedly to verify your account: Your address, Social Security number (for U.S. citizens), and even a scan of both sides of your ID. No fields can be left blank, and the site diligently prompts you about any omissions.”

The portal mimics the official site of Mercy Corps, a charity that helps victims of natural disasters and armed conflicts.

“However, the only topic on this one is Facebook grants, and the victim is asked to specify how many years they have been a user of the social network,” researchers noted. “The collected information allowed the scammers to gain access of their victims’ Facebook accounts, which they could use to pull off other crimes, including identity theft.”

There are a few red flags along the way; for instance, the headline in the purported CNBC article is filled with grammar mistakes.

“The grammar should give away the game, and the URL, which does not start with cnbc.com, is another suspicious element,” according to the posting.

Also, the grammar on the phishing website “stinks,” the researchers said, and most of the links don’t work. “And, of course, the site URL does not contain facebook.com, so it clearly has nothing to do with Facebook,” they added.

Once the information is submitted, the crooks log into the victim’s Facebook account and then try to message friends or leave postings that ultimately are aimed at extracting money from them.

“Facebook accounts can be used to scam victims’ friends and relatives directly or to promote further scam,” Tushkanov said.

However, the form fields provide the crooks with enough personal information to steal full identities, researchers warned. “Armed with this and scans of your documents, they will likely be able to get into any of your accounts, including online banking.”

These types of scams aren’t going away anytime soon, Tushkanov said, so people should be vigilant and careful in vetting “offers” like these.

“We have seen numerous attempts to lure people by promising them some kind of coronavirus-related compensations – for following by stay-at-home orders, payments for children etc.,” he told Threatpost, adding that these kinds of simple scams are the most common. “More sophisticated attacks are by definition more difficult to carry out. So yes, these more simplistic attacks seem to still be the most common ones. Ultimately, almost all scammers are driven by some kind of financial incentive.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.