Cybercriminals are using the news of Facebook's $100 million grant for small businesses as a bait to steal sensitive information from unsuspecting users, cybersecurity firm Kaspersky has warned.
After the pandemic hit economies around the world badly, Facebook in March announced its plan to offer $100 million in cash grants and ad credits to help small businesses during this challenging time.
However, just as the news was picked up by media outlets, malicious users started exploiting the bait, Kaspersky said in a blog post.
"Cybercriminals are always on the lookout to take advantage of the ongoing situation while playing with the user's psyche. The attack here is not directly made on any organisation but is yet successful in stealing important data that is voluntarily shared by the users due to lack of cyber awareness," Dipesh Kaura, General Manager, Kaspersky (South Asia), said in a statement.
"This method of targeting the users would have needed minimum or zero investment by the cybercriminal, while gaining a maximum amount of sensitive data that can then be sold on the dark web to earn huge money."
Simple trick, huge risk
The trick the cybercriminals used was simple. Scammers presented the news as if Facebook was handing out money to all of the social network's users who had been affected by Covid-19.
Samples, detected by Kaspersky, indicate that potential victims viewed an article -- seemingly from a prominent media outlet -- claiming Facebook is giving grants to users hit by COVID-19, along with a link to apply for the grant.
The potential victims, having clicked on the 'news' link, were taken to another charity-related portal.
Its URL does not contain facebook.com, so it clearly has nothing to do with Facebook.
Nevertheless, to accept the application, the site requires a lot more information, supposedly to verify the account; such as the victim's address, social security number (for US citizens), and even a scan of both sides of a piece of ID.
When the form is submitted, the site displays a confirmation message that the application has been accepted.
While, of course, this results in no grants being given away, the collected information allows the scammers to gain access to their victims' Facebook accounts and this can be used in a variety of malicious ways.
For example, it can be used to trick a person's friends and ask them for money) or even to steal someone's identity.
"We urge users to be very careful while they are online and check the URLs of the sites you visit, paying attention to grammar on the web page. Installing a reliable security solution will also help consumers further in staying secure," Kaura said.
(With inputs from IANS)