Not a random cyber attack
It looks so innocuous, masquerading as a Facebook official notification. It was about an alleged violation of one of their community guidelines rules. Naturally I then reviewed this notification from FB and found that the allegation was not true. I then went to click on “disagree” to reject it.
The moment I clicked the “disagree” to an alleged spamming post, the Facebook started to behave abnormal and begin a shutting down process. That was the moment of realization that it was a cyber-attack. I was logged out of my Facebook account and this attacker had gotten control of this account.
An acquaintance was then informed in the wee hour of the morning about this cyber-attack. He quickly sprang into action and contacted Facebook Help Centre to fill up a report on the cyber-attack. At the same time, requested for the account to be locked immediately. This was because I was also helping as admin for his Facebook accounts.
This helps prevent the attacker from causing serious damage and using my account to launch cyber-attack on other linked accounts.
Once the FB account was confirmed locked by Facebook, it takes the bite out from this attacker and this account is now under control.
The attack happened around 11:30 pm on the 6-10-22 and the report to Facebook Help Centre was 7:25 am on 7-10-22.
Attack on Facebook account
Timeline and activities relating to Facebook attack
The above 22 images show the various activities carried out by the attacker and countered by me to recover the account and to secure for good.
It started with Facebook sign in at 4:39 am on 7-10-2022 by using my Google account (Image#1).
He then removed my recovery HP number (image#2).
Following my report to Facebook Help Centre regarding hacked account, I was given a sign in code to get back into my account (image#3).
I was able to sign back in with this code. But after when I logged out, I could not sign in again with Facebook sign in code despite many attempts.
After some time of locked account, the attacker managed to sign in again at 1:16 am on 8-10-2022 using his Huawei Honor device.
Later after all the strict verification of my personal details by the Facebook Help Team, I was given a code to sign in again and my Facebook account remains sign in all the time.
It remains on my desktop computer as I found out that using Facebook on my HP devices have bugs that is linked to this attacker.
Attack on my Google accounts simultaneously
Attack on account#1
Around the same time period following, a cyber-attack was started on my google accounts using the cover of the attack on the Facebook account. These Google accounts are active email accounts used for all my online correspondences. Two email accounts are particularly active and sensitive accounts.
The device used was a MAR-LX2 that was identify having sign in the first time into the first Google account on Oct 7 (image#1). It is time-stamped Oct 7, 21 hours ago.
Timeline and activities
Step #1 – Sign-in at 10:17 pm on 7-10-22.
Step #2 – The password for account#1 was changed at 10:34 pm on 7-10-22.
Step #3 – Sign in again to install Google
The above image#5 shows the activities as recorded in account#1 security panel. The timing of the activities starts from 10:17 pm on 7-10-22 till 1:36 am on 8-10-22.
After signing in, he changed the recovery email to account#2 at 10:27 pm on 7-10-22.
His Nova 4e model is changed to show Huawei P30 lite, as P30 Lite is a model used by me. This is to trick me into thinking that it was me when reviewing the security panel.
He signed in again using a different device, Windows at 1:04 am on 8-10-22 to install Google as seen in Image#3A
At 1:36 am on the 8-10-22, he signed in and turn on the 2-step verification feature (2FA) to stop my access to this account #1.
The activities shown on image#6 on the 9-10-22 to the 10-10-22 is confusing to know whether it is the attacker or myself just by looking at the devices. So we look at the various activities in details below:
Image#8 – Attacker changed the recovery email at 1:37 am on 8-10-22. Recovery email was verified, and the recovery email was changed to account#2 to which he now has access to as well.
Image#9 – Password was changed by Windows (the attacker) at 10:47 on 9-10-22.
Image#10 – At 3:09 am on 10-10-22, the password was changed again to prevent access. However, the password was changed by me at 3:31 am on 10-10-22 (see image#6).
Image#7 – On the morning of 11-10-22, from 10.00 am till 10:13 am, I visited the account#1 again to make sure that all the attacker’s changes to my Google security setting are reversed. From there on, there is always a path for me to recover my account with the various SFA features that is not reversible by the attacker.
From 4:28 am on 10-10-22 to 7:32 am all these activities are performed by me to secure my account further (see image #6).
Image#13 – At 9:58 am on 11-10-22, my account was recovered. See image#7 also
Image#14 – At 10:13 am on 11-10-22, I have to changed password again to prevent attacker re-entry again. See image#7 also
Image#15 – At4:06 am on 12-10-22, I knew that my account#1 will not be lost, and I could sleep peacefully without a worry. See image#7 also
Image#8 shows an overview of all the email alerts sent by Google over the tussle of control of account.
Attack on account#2
The second device was only identified as Android model and was signed into the second Google account 22 hours ago.
#2-image#1 – Shows the presence of MAR-LX2 signing in on 7-10-22 about one hour later than account#1. As this image was produced much later and after I signed out all devices, the timing and date is lost.
#2-image#2 – However the Android MAR-LX2 first time of signing in was captured and shown here.
#2-image#3 – At 1:08 am on 8-10-22, the attacker can access this account#2 email to do the verification.
#2-image#4 – Shows that attacker can still gain access by signing in at 3:46 am on 12-10-22. See #2-image#1.
#2-Image#5 – Show there were 4 alerts at 1:08 am on 8-10-22. These alerts were for changing/adding account#1 recovery to make account email as recovery email. See #2-image#3.
#2-Image#6 – Shows the attacker signing in with Huawei Nova 4e at 3:46 am on 12-10-22 and grant Windows access to this account#2 at 4:05 am on 12-10-22
#2-Image#6 – At 12:15 pm on 13-10-22, attacker want to access another account email so he can receive code and reads messages. See #2-Image#7.
#2-Image#11 to #2-Image#16 is done by me to secure my account with countermeasures to prevent any vulnerabilities for attacker to gain access.
Attack on account#3
This account#3 was compromised without me realizing it at the beginning as it is used to link to my Facebook account.
From 3image#1 and 3image#2, we can see that the attacker has already gained access to this account before he decided to installed Google on his device to attack this account.
Eventually I managed to kick the attacker out from this account#3. So far with persistent monitoring of this account#3, we will make sure that whatever method that he still has to gain access is identified and remove that method.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
Documentary on undocumented migrants that enraged the government leads to police raid on Al Jazeera. “KUALA LUMPUR – Malaysian police raided the office of news broadcaster Al Jazeera and two…
More than 100 deaths in custody in two years reported There are a few cases of reported deaths in custody by online news media that will be interesting to highlight…
Documented records of Immigration abuses and complaints A video titled: “Immigration officer caught on camera assaulting foreigner -Malaysia” in Johor Baru sparked off a public outrage. This uncivilized behavior of…
Filipinos mums being treated like animals Treated like animals at a detention center in Malaysia,a group of Filipinos mothers and their children were finally reunited. These mothers went through living…
Shocking news on death of Nigerian PhD student in immigration custody This is about the shocking news of a foreigner, a Nigerian-national who died in immigration custody. He holds a…