My Wife's Facebook got Hacked

On April 20th 2022, my wife's Facebook account was hacked. The attacker also got access to company accounts that my wife administer on FB, spending the entire advertisement budget.

Not very interesting, but the method by which they gained access is new to me. Before founding Forskerfabrikken (Scientist Factory), my wife ran a one-person business under the domain commsci.no. That is many years ago, and it was at that time she created her Facebook account using her e-mail address hsf@commsci.no.

Some years later, she decided to leave her old business behind, and discarded the domain. She added her new e-mail address to Facebook. I'm not on Facebook, so I don't know how it works, but for some reason they kept her old address. And that's how the attacker got in.

First, they registered her old domain commsci.no. Here are the details from whois:

NORID Handle...............: COM3372D-NORID Domain Name................: commsci.no Registrar Handle...........: REG1071-NORID Tech-c Handle..............: BB50R-NORID Name Server Handle.........: NSDO3461H-NORID Name Server Handle.........: NSDO3462H-NORID Additional information: Created: 2022-04-19 Last updated: 2022-04-19

NORID Handle...............: BB50R-NORID Name.......................: Bee Bee Registrar Handle...........: REG1071-NORID Country....................: NO Phone Number...............: +47.23231010 Email Address..............: ginag@executivecare.biz Additional information: Created: 2022-04-19 Last updated: 2022-04-19

Then they made sure it would receive e-mails, and nothing else. DNS-information:

commsci.no. 3600 IN NS ns81.domaincontrol.com. commsci.no. 3600 IN NS ns82.domaincontrol.com. commsci.no. 3600 IN SOA ns81.domaincontrol.com. dns.jomax.net. 2022041960 28800 7200 604800 600 commsci.no. 3600 IN MX 10 mx1.forwardemail.net. commsci.no. 3600 IN MX 10 mx2.forwardemail.net. commsci.no. 3600 IN TXT "v=spf1 a mx include:spf.forwardemail.net -all" commsci.no. 3600 IN TXT "forward-email=chrishau19@gmail.com"

And finally, they made Facebook send a recovery code to the old e-mail address now under their control, and used the code to log in to Facebook. This is the notification my wife got from Facebook to her current e-mail address:

The IP address 82.180.145.164, which was used to contact Facebook, is operated by Packethub S.A., and owned by M247 Ltd. It is considered a high-risk address for fraud.

As of this writing, my wife is still locked out. Although Facebook let her reset her password, the attacker set up two-factor authentication on her account. It has yet to be removed.

Final note to self: Never discard a domain that has been used for e-mail.