Watch out for the “I can’t believe he’s gone. I’m going to miss him so much” post on Facebook

A massive Facebook phishing campaign saying, “I can’t believe he’s gone. I’m going to miss him so much,” leads unsuspecting users to a website that steals your Facebook credentials .

The #phishing attack “I can’t believe he’s gone. I’m going to miss him so much” is still ongoing and spreading widely on #Facebook through hacked friends’ accounts.

Where threat actors are building a huge army of #stolen_accounts to use them in more #fraud_operations on the #social_media platform . Since the posts come from your friends’ hacked accounts, they appear more convincing and trustworthy, leading many to fall for the scam .

This #phishing campaign started about a year ago, as #Facebook had trouble blocking posts that continues today.  However, when new posts are created and reported, Facebook deactivates the Facebook.com redirect link in the post so that it no longer works .

#Phishing posts on Facebook come in two forms, one that simply says: “I can’t believe he’s gone. I’m going to miss him so much,” and contains a Facebook redirect link . The other uses the same text but shows what appears to be a video from BBC News of a car accident or other crime scene, as shown below .

Clicking on the link from the Facebook mobile app will take visitors to a fake news site called “NewsAmericaVideos” that prompts them to enter their Facebook credentials to confirm their identity and be able to watch the video . To entice the visitor into entering their password, they show what appears to be a blurry video in the background, which is just an image downloaded from Discord. If you enter your Facebook credentials, threat actors will steal this data, and the site will redirect you to Google.

Although it is not known what stolen #credentials are being used for, it is likely that threat actors will use them further to promote the same #phishing posts through #compromised_accounts .

However, if you visit phishing pages from a desktop computer, the phishing sites will redirect users to Google or other scams that promote VPN applications , browser extensions, or affiliated sites .

Since this phishing attack is not trying to steal two-factor authentication (2FA) codes, Cyberax strongly recommends that Facebook  users enable two-factor authentication to prevent access to their accounts in the event of such scams. Once activated, Facebook will require the user to enter a unique one-time passcode every time their credentials are used to log into the site from an unknown location . Since he is the only one authorized to access these codes, even if his credentials are stolen, hackers will not be able to log in .