Security researchers are warning about Facebook hoax scams that spread fake terror news to trick victims into disclosing their Facebook credentials.

People target Facebook and other social media services to gain access to your profile for identify theft. They typically change your password, shut you out and if you use the same password for your email and banking etc you have pretty much lost control over everything.

The scam starts with a compromised user account sharing or commenting on the status of a terrorist attack. The victim’s friends are tagged in this comment as well. When a user clicks on this hoax, he or she is redirected to a phishing webpage that requests his or her Facebook credentials to proceed to a site with more information about the incident. If the user enters the credentials (be they genuine or not), they are redirected to another fake Facebook page.

As with other tragic events, i.e. the crash of Malaysia Airlines Flight 370, the Boston marathon attack or recent terrorist attacks in Europe – these incidents become an opportunity for criminals to trick victims with social engineering techniques.

“Facebook users often share stories without actually reading them. Scam campaigns, if designed to be emotionally appealing, fare surprisingly well because of our unfortunate behaviour.”

Facebook has started to block the phishing Facebook pages used in this campaign and ESET security products block phishing webpages connected to this scam along with other domains registered by the same person.

If you think you might have been tricked into sharing your Facebook credentials, we recommend that you change your password. And, of course, if you have been using the same password for multiple services, change the password wherever applicable – and put a stop to the extremely risky practice of password sharing.