Threat Research

Thus spoke the Beninese: scammers hijacking Facebook chat

By Karine de Ponteves | January 27, 2012

Wasn't it to my surprise when a friend's son hit me up yesterday on Facebook chat. We don't usually chat so I was curious as to what was going on.

Although he 1st asked how I was, he quickly said he needed help to post an ad on a popular french classifieds website, Although suspicion rose immediately, as a security researcher, I was very curious to see where this was going to lead.

The ad is for a car, and although he tells me to list the required fields so that he can give me all the requested information, my friend seems to have his text all prepared. He seems to be rather pasting chunks of text, with fields I haven't even mentionned.

Giving me fields I haven't mentionned.

When I ask why the car is being sold in a totally different area from ours (800km away), he says it is for his aunt. I don't want to question him too much, so I just keep on copying the information he is giving me. He gives me an email address, a phone number, links to pictures of the car, and a password for the ad. At this point, I'm not sure what his motives are. It is probably a false ad with hopes of getting the money for this non-existent car, but why would he need me to post it for him? Is his IP address blocked from the website? Or is this a way of trying to hide his traces? As he's given me a password, it is certainly not a way to try to get any of the passwords I might commonly use on the Internet.

The classified's vendor details.

When I validate the ad, an email with a confirmation link is sent to the address I have provided. My friend copy/pastes the url into Facebook chat so that I can confirm. He asks me to copy/paste the message from the website to ensure I have really validated.

Asking me to prove I have validated the ad.

This guy seems to not want to waste much time. He is giving short and clear directions on what to input, how to download the pictures. Not once does he say "please" or "thanks", or tries to make a bit of conversation. When I ask why he needs me to post the ad for him, he first eludes the question, but when I insist he eventually says it's because the website won't show on his computer. Then out of nowhere he asks whether I've seen the "new Facebook". It's pretty obvious I have as I have the new Timeline on my profile, and oh, so does he!

Link to the "new Facebook".

Of course, it is a phishing site to steal user credentials so that he can later hijack more Facebook profiles. This site does not even try to look like the real Facebook. It is called "Facebook L0ve", and yes, with a '0' instead of a capital 'O'.

The new Facebook L0ve.

Now at the lab we're curious to find out where this guy is. So we lure him into a "hot" MSN chat while we quickly set-up a webserver with photos for him to visit so that we can get his IP address and geolocalize it. Needless to say the MSN ID he gives me is another different email address, one he most probably uses to pass as a pretty girl to lure men into a fake romance!

As it turns out, our foe is in Benin, and it is not the 1st recorded scam of this type coming from there. So if a "friend" hits you up to post an ad for him/her, or asks you to click on a link:

  • Make sure it is really your friend, by asking for example if it is sunny in Alaska (and they normally live in Florida)
  • Tell your real friend their profile has been hijacked and they need to inform Facebook about it
  • Report the scam to your local Internet Complaint Center (USA:, France:
  • Report the fake ad to the website (

Join the Discussion