David Jacoby, of IT security firm Kaspersky Lab, claims scammers are posing as Facebook security in chat sessions to try to trick people into providing their credit card information.
He said the phishing attack is “pretty interesting” because it does not try to trick users into visiting a phishing website – it uses stolen information to take over user’s accounts and imitate security operations.
Once an account has been compromised, fraudsters can send out instant messages to the victim’s contacts pretending to be Facebook security, Mr. Jacoby explained.
Users are asked to reconfirm their web addresses by providing name, email, password, security question, email account password, country and birth date details.
They are then transferred to a payment verification page which asks for a full credit card number, expiration date, security code and billing address.
A Facebook spokesman said the company was looking into the report, and protecting website users from spam and malicious content remains a “top priority”.
“We have spent several years developing protections to stop spam from spreading and have sought to cooperate with other industry leaders to keep users and their data safe,” they stated.