How a social engineering hack turned these Facebook pages into a dumping ground for spam

Hannah Shaw, better known as the “Kitten Lady,” teaches people how to care for neonatal cats, and has raised more than $1 million for animal shelters and rescues. Her Facebook page has gained over a million followers since she began making cat content, but she almost lost it all to a social engineering hack that took over access to her Meta business account.

“I built that community for more than a decade. Thinking that I might lose it was pretty devastating,” Shaw said.

Influencers rely on platforms like Facebook, Instagram and YouTube for their income. These sites have evolved from side project enablers to the sole source of income for some content creators. However, bad actors have found ways to also take a piece of the piece from those earning an honest living there. Yes, high-level hackers tend to seek entities with deep pockets, targeting them with highly complicated attacks. But much of the cyber criminality today is social engineering jobs, ripping off mid-level creators with much fewer resources than a multinational corporation, but also significantly less technical know-how.

A creator who goes by Hobby Bobbins — who gained a cult following within her niche of vintage clothing restoration — walked me through how all of this happened to her. The attack occurred in almost the exact same steps that led to Shaw’s account takeover. It started with an interview request from an individual going by Rex Hall, who claimed to be a manager for the show “Podcast and Chill with MacG.” This appears to be a real podcast, although no one named Rex Hall seems to be publicly associated with it. (We reached out to the podcasters to determine if they're aware their brand is being used to perpetrate a social engineering scheme and have not heard back.) "Podcast and Chill" is based in South Africa, and according to its Twitter bio, its purpose is in part for "documenting black excellence.” It doesn’t specifically focus on the topics Shaw or Bobbins cover, like animal wellness or vintage clothing. But influencers receive these requests constantly, the podcast hosts had a digital footprint and "Rex" was able to answer any questions that Bobbins had.

The malicious actor asked their targets to hop on a Zoom call for pre-interview prep, including setting up Facebook Live to bring in revenue. “Everything seemed normal at first, the only odd thing was his camera was not on. But even that is not too odd, a lot of people don’t want to be on camera,” Shaw said. After a labyrinth of back and forth over backend settings, the scammer leads their targets to a backend setting called “datasets.” It’s an obscure page, often used to give people admin access to a business account. But victims thought it was a normal part of setting up for Facebook Live because it does include event management options.

Both Shaw and Bobbins pushed back on the request to access datasets and turned off their screen sharing to avoid giving too much away. But the hackers still got in by insisting they help with setup, saying that they needed to view one seemingly innocuous link. In datasets, creators generated a unique URL that the scammers could use to get into the account. “When he captured that direct URL, it basically generated that email invite for him without ever having to access my email without him even needing to know a password or anything,” Bobbins said. “All he had to do was put in the link and accept the invite and then it automatically added his own personal Facebook to my page.”

After gaining access, "Rex" was able to make themself an admin of the page. With that power, they could remove Bobbins’ ability to log in. Support tickets with Meta sent her in circles trying to get her account back. Bobbins’ lost her way to communicate with her 400,000 followers, and hackers deleted years of content she had dedicated her career to making.

The scammers cleaned the page to make room for bogus links that led to ad-filled sites to generate easy revenue. They put in a list of about 100 blocked words so that followers couldn’t flag to each other that the account had been hacked. “Anybody who commented on my page that said ‘stolen’ or ‘hacked’ or ‘scam’ or whatever would be automatically blocked out. So, none of my other followers could see the people who knew that my account was hacked,” said Bobbins. She lost an unknown number of views and “hundreds of dollars” worth of sales each day that her account had been taken over.

Shaw and Bobbins both went to Meta for help, but it was fruitless. “There is zero support for a problem like this with Facebook,” Bobbins said. Resetting her password went nowhere, because it couldn’t change the admin settings that the hackers had changed. When Bobbins finally figured out how to contact the help desk at Facebook with a support ticket, it was closed out “almost instantly” with no help received, she said. In response to our questions about this attack vector or what they’re doing to help creators keep accounts secure, Meta recommended users implement multifactor authentication and report any issues to its support center. But Shaw and Bottoms both have two-factor authentication turned on, and their accounts still got taken over. Meta did, however, introduce better customer service as a feature in its paid verification package earlier this year, another way social media platforms are charging for security features.

Shaw got her account back in about 72 hours from the initial attack by using her following to find a person who could help, but Bobbins wasn’t as lucky. She’s still struggling with access today, over a month since the hack occurred. She briefly got back in and was able to begin manually reuploading her past content. Beyond that, those who accessed the accounts changed location permissions, turned off messaging capabilities, removed her shop from her page, blocked certain followers and took away her $5 per month subscribers. The web of damage became so widespread, Bobbins created a list of the footprints left by the attacker to help others undo the changes. Since the account takeover, Bobbins has struggled to keep access to her account, with unusual flags on seemingly unwarranted copyright violations and other issues kicking her out.

“There’s no extra step that can be taken right now to protect somebody from the thing that I just went through,” Bobbins said. The only prevention for a crime like this is spreading the word, so that others don't fall for the same social engineering trick. That’s why Shaw is helping bring together more than a dozen of other victims of the same scam to minimize damage and call for greater creator security.

Still, there’s no real solution without the platforms creating major change. Platforms should do a better job of quickly investigating complaints from followers because right now the onus is on the page owners to figure it out, said Eva Velasquez, president and CEO of the Identity Theft Resource Center. While there are a lot of prescribed processes for traditional identity theft, like freezing your credit, there aren’t well-defined practices for social media account takeovers because creators are at the mercy of these platforms.

If you stumble upon what appears to be an account takeover as a follower, Velasquez recommends getting in touch with the creator outside of that specific platform to let them know a hack is occurring. Victims of an account takeover can also alert the Internet Crimes Complaint Center about the incident, but there’s not much else they can do. Or, creators can avoid using the platform altogether. “At this moment in time, I don't recommend that anybody accepts Facebook Live interviews,” Shaw said.