Recently I read a lot about “Facebook Owner Hacks” in where pages are hijacked. It seems to be a common problem, many threads about this can be found in the Facebook Help Community (such as https://www.facebook.com/help/community/question/?id=133720507584025).
In order to understand how this work, I setup a honeypot page and built up some likes, after some time I started receiving messages such as
“Are you interested in posting articles on your page?” with prices ranging from 5 to 100 dollars per item. Bingo!
Note: All the profiles used to send those private messages used names that did not seem to bear any correlation to the profile picture.
All messages to the page used the following scheme, where they assured all is “legit” and according to the “Facebook policy”. They even claim to support multiple payment options. My first guess was, that they want to be added as a page admin or similar — turns out I am wrong.
“There will be no access to us” — Now I am interested and kept asking.
Turns out you are supposed to accept the “Facebook invitation”.
Even a video tutorial is included, this seems to be a pretty streamlined process . .
A few minutes later I received the following email in my mailbox,
After clicking on that link one is prompted to choose a username, then verify with Facebook. Please note this was not phishing but an actual Facebook Business website. All of the ticks under the password box do not seem to give “Article Beta V17.2” any access it shouldn’t, right?
After sending “proof” I was assured no posts would be made before the first payment.
When clicking around in the Facebook Business Manager, I saw that a new administrator was added:
Additionally, under “Assigned Assets” all access was grayed out:
Turns out, accepting this invitation sets the page owner to said “Article Beta” application — a page owner being outranking page admins.
What is perfidious about the whole thing, that Facebook never shows any notice on that a page owner will be set by accepting the link — nor gives you any possibility to reverse this action or even contact them about this problem.
When going back to the Facebook page itself, a new admin appeared shortly:
Checking his profile, our “hacker” from Pakistan seems to have a very … interesting taste in music:
That new admin did not last for long, it seems Shahzaib uses fake profiles (obviously female) to trick people into adding the seemingly harmless “Instant Posts” app to Facebook Business, then with the new access adds himself as Page Admin.
Shortly after the page is transferred to the presumed buyers, while the original admins are denoted to “Analyst”, including two new members.
“Hacked Pages Recovery Solution”
There are links pointing to a Facebook page called “Hacked Pages Recovery Solution” which is supposed to bring back your page,
This service is not performed for free however,
Turns out there actually is a way to contact Facebook, but I have not figured out how yet,
This whole service makes me wonder, if this is actually part of the whole scam.
Conclusions
This whole scam seems to happen quite a lot, with people paying the scammers to receive admin privileges to pages. For what purpose I cannot tell. The posts made are from random pages.
Additional information
Here a screenshot of the “Article Beta” app:
