Not a random cyber attack

It looks so innocuous, masquerading as a Facebook official notification. It was about an alleged violation of one of their community guidelines rules. Naturally I then reviewed this notification from FB and found that the allegation was not true. I then went to click on “disagree” to reject it.

The moment I clicked the “disagree” to an alleged spamming post, the Facebook started to behave abnormal and begin a shutting down process. That was the moment of realization that it was a cyber-attack. I was logged out of my Facebook account and this attacker had gotten control of this account.

An acquaintance was then informed in the wee hour of the morning about this cyber-attack. He quickly sprang into action and contacted Facebook Help Centre to fill up a report on the cyber-attack. At the same time, requested for the account to be locked immediately. This was because I was also helping as admin for his Facebook accounts.

This helps prevent the attacker from causing serious damage and using my account to launch cyber-attack on other linked accounts.

Once the FB account was confirmed locked by Facebook, it takes the bite out from this attacker and this account is now under control.

The attack happened around 11:30 pm on the 6-10-22 and the report to Facebook Help Centre was 7:25 am on 7-10-22.

Attack on Facebook account

Image#1 – Facebook sign in at 4:39 am on 7-10-2022

Image#2 – After Facebook sign in, removal of recovery phone at 9:12 am on 7-10-2022

Image#3 – Reset password at 9:12 am on 7-10-2022

Image#4 – Facebook security check at 9:44 am on 7-10-2022

Image#5 – Password changed alert at 10:04 am on 7-10-2022

Image#6 – Facebook password reset code at 1:35 pm on 7-10-2022

Image#7 – Password reset at 1:38 pm on 7-10-2022

Image#8 – Facebook alert at 1:43 pm on 7-10-2022

Image#9 – Facebook reset using HP number at 3:17 pm on 7-10-2022. This is my request.

Image#10 – Facebook password reset code at 3:27 pm on 7-10-2022.

Image#11 – Facebook alert on password reset at 3:28 pm on 7-10-2022.

Image#12 -Facebook password reset code at 3:50 pm on 7-10-2022.

Image#13 -Facebook sign in alert at 3:51 pm on 7-10-2022.

Image#14 -Facebook password reset alert at 3:55 pm on 7-10-2022.

Image#15 -Facebook password reset alert at 4:20 pm on 7-10-2022.

Image#16 -Facebook password reset code at 4:38 pm on 7-10-2022.

Image#17 -Facebook password reset alert at 4:40 pm on 7-10-2022. This Honor 8A is not mine.

Image#18 -Facebook password reset code at 4:50 pm on 7-10-2022.

Image#19 – Facebook password reset code at 10:44 pm on 7-10-2022.This password was requested by me.

Image#20 – Facebook password reset alert at 1:16 pm on 8-10-2022. This Honor 8A device changed FB password again.

Image#21 – Request Facebook password reset code at 7:40 pm on 8-10-2022.

Image#22 – Request Facebook password reset by me at 1:16 am on 9-10-2022.

Timeline and activities relating to Facebook attack

The above 22 images show the various activities carried out by the attacker and countered by me to recover the account and to secure for good.

It started with Facebook sign in at 4:39 am on 7-10-2022 by using my Google account (Image#1).

He then removed my recovery HP number (image#2).

Following my report to Facebook Help Centre regarding hacked account, I was given a sign in code to get back into my account (image#3).

I was able to sign back in with this code. But after when I logged out, I could not sign in again with Facebook sign in code despite many attempts.

After some time of locked account, the attacker managed to sign in again at 1:16 am on 8-10-2022 using his Huawei Honor device.

Later after all the strict verification of my personal details by the Facebook Help Team, I was given a code to sign in again and my Facebook account remains sign in all the time.

It remains on my desktop computer as I found out that using Facebook on my HP devices have bugs that is linked to this attacker.

Attack on my Google accounts simultaneously

Attack on account#1

Around the same time period following, a cyber-attack was started on my google accounts using the cover of the attack on the Facebook account. These Google accounts are active email accounts used for all my online correspondences. Two email accounts are particularly active and sensitive accounts.

The device used was a MAR-LX2 that was identify having sign in the first time into the first Google account on Oct 7 (image#1). It is time-stamped Oct 7, 21 hours ago.

Image#1 – Attacker sign-in using MAR-LX2 HP model on account#1.

Image#2- The presence of the attacker’s MAR-LX2 in account#1.

Image#3 – The attacker signing in at 10:17 pm on 7-10-22

Image#3A – Attacker setting up Google account on his Nova 4e HP at 1:05 am on 8-10-22

Image#4 – Notification-alerts on account#1 sent to account#2

Timeline and activities

Step #1 – Sign-in at 10:17 pm on 7-10-22.

Step #2 – The password for account#1 was changed at 10:34 pm on 7-10-22.

Step #3 – Sign in again to install Google

Image#5 – Snapshot of activities on 7-10-22 to 8-10-22 as recorded by Google in account#1 security panel.

The above image#5 shows the activities as recorded in account#1 security panel. The timing of the activities starts from 10:17 pm on 7-10-22 till 1:36 am on 8-10-22.

After signing in, he changed the recovery email to account#2 at 10:27 pm on 7-10-22.

His Nova 4e model is changed to show Huawei P30 lite, as P30 Lite is a model used by me. This is to trick me into thinking that it was me when reviewing the security panel.

He signed in again using a different device, Windows at 1:04 am on 8-10-22 to install Google as seen in Image#3A

At 1:36 am on the 8-10-22, he signed in and turn on the 2-step verification feature (2FA) to stop my access to this account #1.

Image#6 – Snapshot of activities on 9-10-22 to 10-10-22 as recorded by Google in account#1 security panel.

The activities shown on image#6 on the 9-10-22 to the 10-10-22 is confusing to know whether it is the attacker or myself just by looking at the devices. So we look at the various activities in details below:

Image#8 – Attacker changed the recovery email at 1:37 am on 8-10-22. Recovery email was verified, and the recovery email was changed to account#2 to which he now has access to as well.

Image#9 – Password was changed by Windows (the attacker) at 10:47 on 9-10-22.

Image#10 – At 3:09 am on 10-10-22, the password was changed again to prevent access. However, the password was changed by me at 3:31 am on 10-10-22 (see image#6).

Image#7 – Snapshot of activities on 11-10-22 to 12-10-22 as recorded by Google in account#1 security panel.

Image#7 – On the morning of 11-10-22, from 10.00 am till 10:13 am, I visited the account#1 again to make sure that all the attacker’s changes to my Google security setting are reversed. From there on, there is always a path for me to recover my account with the various SFA features that is not reversible by the attacker.

From 4:28 am on 10-10-22 to 7:32 am all these activities are performed by me to secure my account further (see image #6).

Image#13 – At 9:58 am on 11-10-22, my account was recovered. See image#7 also

Image#14 – At 10:13 am on 11-10-22, I have to changed password again to prevent attacker re-entry again. See image#7 also

Image#15 – At4:06 am on 12-10-22, I knew that my account#1 will not be lost, and I could sleep peacefully without a worry. See image#7 also

Image#8 – Overview of all email alerts for the tussle for control of account#1

Image#8 shows an overview of all the email alerts sent by Google over the tussle of control of account.

Attack on account#2

The second device was only identified as Android model and was signed into the second Google account 22 hours ago.

#2-Image#1- Presence of MAR-LX2 in acct2

#2-Image#2- Android HP accessing my account#2

#2-image#3 – Attacker had already gained access in order to verify this email.

#2-image#4 – Huawei Nova 4e sign in at 3:46 am on 12-10-22

#2-image#1 – Shows the presence of MAR-LX2 signing in on 7-10-22 about one hour later than account#1. As this image was produced much later and after I signed out all devices, the timing and date is lost.

#2-image#2 – However the Android MAR-LX2 first time of signing in was captured and shown here.

#2-image#3 – At 1:08 am on 8-10-22, the attacker can access this account#2 email to do the verification.

#2-image#4 – Shows that attacker can still gain access by signing in at 3:46 am on 12-10-22. See #2-image#1.

#2-Image#5 – Show there were 4 alerts at 1:08 am on 8-10-22. These alerts were for changing/adding account#1 recovery to make account email as recovery email. See #2-image#3.

#2-Image#6 – Google alerts on 12-10-22 and 13-10-22

#2-Image#6 – Shows the attacker signing in with Huawei Nova 4e at 3:46 am on 12-10-22 and grant Windows access to this account#2 at 4:05 am on 12-10-22

#2-Image#6 – At 12:15 pm on 13-10-22, attacker want to access another account email so he can receive code and reads messages. See #2-Image#7.

#2-Image#7 – To attack another account at 12:15 pm on 13-10-22

#2-Image#8 – Goggle security panel of activities from 8-10-22 to 9-10-22

#2-Image#9 – Goggle security panel of activities from 9-10-22 to 10-10-22

#2-Image#10 – Goggle security panel of activities from 11-10-22 to 12-10-22

#2-Image#11 – new sign in at 4:58 am on 10-10-22

#2-Image#12 – add authenticator at 5:01 am on 10-10-22

#2-Image#13 – 2-steps verification codes at 5:02 am on 10-10-22

#2-Image#14 – New sign in at 5:08 am on 10-10-22

#2-Image#15 – Windows granted access at7:27 am on 10-10-22

#2-Image#16 – contact email changed at 7:29 am on 10-10-22

#2-Image#11 to #2-Image#16 is done by me to secure my account with countermeasures to prevent any vulnerabilities for attacker to gain access.

Attack on account#3

This account#3 was compromised without me realizing it at the beginning as it is used to link to my Facebook account.

3image#1 – This is the attacker sign in at 1:03 am on 8-10-22

3image#2 -Sign in to install Google on his device at 1:04 am on 8-10-22

From 3image#1 and 3image#2, we can see that the attacker has already gained access to this account before he decided to installed Google on his device to attack this account.

Account #3 – First part of flurries of activities of this account from 7-10-22 to 10-10-22

Account #3 – Third part of flurries of activities of this account from 10-10-22 to 12-10-22

Account #3 – Fourth part of flurries of activities of this account from 12-10-22 to 15-10-22

Eventually I managed to kick the attacker out from this account#3. So far with persistent monitoring of this account#3, we will make sure that whatever method that he still has to gain access is identified and remove that method.

Posted in corruption, Human Rights, Journal of events, Malaysia Immigration