Checking in on Facebook much too late last night, I noticed an invitation to connect from someone who is already a Facebook friend, so, as I always do, I sent them a message telling them that it looked as if their account had been cloned, and that several friends had already accepted requests.

Shortly afterwards, they posted a message to warn their friends about the compromise, which is absolutely the right thing to do. However, I did notice an alarming development.

When people whose accounts have been cloned put up a post to warn their friends, they often get a number of comments from ‘people’ they don’t know suggesting that they get in touch with a ‘helpful hacker’ who’ll get their stolen account back for them. (NB, when someone clones a legitimate account, it doesn’t mean that they’ve actually gained control of the legit account: they don’t need to.)

Here’s an excerpt from my FAQ blog on the subject that deals with this aspect of the problem.

You may see comments from self-described experts or hackers offering to help you regain your hacked account, or from people recommending such helpers, even when your account has probably not been hacked but cloned. Regard them with suspicion: they may be from people wanting better access to your account. I’ve also noticed more comments than usual advising the people concerned to contact pseudonymous hackers/anti-hackers (often on Instagram) to get help. These are often not from real people at all, but from bots programmed to respond to keywords like “hacking” – this happens on other social media platforms too. Giving your details to someone random and pseudonymous on a platform that security experts tend to mistrust is not a good idea: normally, I’d suggest just ignoring such comments or even deleting them (certainly if they appear to come from someone you don’t know). While Facebook can be slow in responding to cloning notifications, they’re a safer option than a self-proclaimed ‘hacker’.

It’s possible, of course, that the scammers will also respond to words like ‘cloned’ or ‘compromised’, either now or in the future. However, it may be that they’ll figure that if you know the difference between hacking and cloning, that you’re not likely to be a ready victim.

So far, business (or malfeasance) as usual. In this instance, the victim of the cloning had used the term ‘hack’, so I don’t know if using a different term would have stopped the flood of bot ‘recommendations’. But it’s not just the number of such comments that’s worrying – I saw several pop up even as I was responding to the post myself – but the variety and sophistication of some of these comments.

• None of the comments I saw were from someone claiming to be the ‘helpful’ person themselves: they were all presented as recommendations from someone who’d had a similar problem. Well, that continues an ongoing trend: clearly, the assumption is that victims will be more receptive to recommendations from other victims than from someone advertising their own services. (They don’t seem to be calling themselves hackers any more, either.)
• One actually claimed that the person ‘they’ were recommending was a Meta engineer. Given that Meta/Facebook can be quite slow reacting to reports of cloning (or indeed actual account hijacking, which is much less common), perhaps it makes sense that people would respond more readily to a ‘helpful’ and presumably knowledgeable individual on the inside of the organization rather than go through the slow and often unsatisfactory official process. However, the fact is that anyone can set up a Facebook page (or Instagram  or Twitter account) claiming to be someone or something they aren’t, whereas the official process does at least make some attempts to maintain rational checks and balances. (Yes, that’s probably the nearest I’ve ever got to complimenting Facebook…)
• A second ‘person’ expressed their own frustration at being similarly ‘hacked’ and recommended that the victim contact an account on Instagram. At this point, my friend commented that he didn’t know either of these commenters. This is an important point: it’s unlikely (though not impossible) that a bot will appear to respond from someone with whom you’re actually connected. It’s likely, though, that the scammers behind these bots will attempt to get past that red flag in future, if they aren’t doing so already.
• Soon afterwards, there were two identical posts from different ‘people’ describing how Instagram made them jump through hoops to prove their ownership of their accounts, without success until they contacted the person they were recommending. Sadly, there are enough (presumably genuine) accounts around of similar issues of poor service from social media platforms to make these accounts superficially convincing. While it’s a huge red flag when different people seem to post the exact same comment, it’s not going to happen every time, and I would expect the scammers to attempt to reduce the likelihood of different bots posting the same message as they fine-tune their scam mechanisms.

I will admit that I rather enjoyed the comment from someone who had ‘the same issues’ and regarded it as a ‘really frustrating massage’. That must have rubbed them up the wrong way. But I’d still advise against taking their recommendation seriously.

My FAQ on the topic of cloning in general is here:  Clone Wars Revisited – Facebook Friend Requests. I’ll be updating it with this information shortly.

David Harley

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/07/19/helpful-hackers/