Watch out for this password-stealing Facebook hack that's hitting iOS and Android users

A phishing campaign has been spotted spreading via Facebook Messenger and targeting users across Europe including Germany, Sweden and Finland, security experts have warned.

Frederic Vila, security researcher with Helsinki-based F-Secure, said Monday (30 October) that a redirection technique was being used by criminals to send users to a malicious phishing page. The ultimate aim was to steal the passwords of victims on both iOS and Android.

Links were sent posing as YouTube videos, but hackers used URL shorteners including "po.st" and "utm.io" to hide the locations of where users would end up.

Based on forensic analysis of the link data over a two-week period, the scheme was launched on 15 October and has reached 200,000 clicks in total.

According to F-Secure, the operation expanded as more passwords were scooped up – with hackers also taking advantage of the hacked accounts for ad fraud.

Vila wrote: "Cybercriminals used those stolen credentials to spread the malicious links, and subsequently gather more credentials.

"While in the process of stealing the credentials, the cybercriminals also attempted to earn from other non-iOS and non-Android users through ad-fraud."

The expert said that such phishing schemes are made worse, in part, because Facebook lets those on the platform use a general email address as a username.

Vila said: "Just by launching this Facebook phishing campaign, [hackers] harvest email and password credentials that are later on used for secondary attacks such as gaining access to other systems or services that could have a bigger monetary value.

"We highly recommend the affected users to change their passwords as soon as possible, including other systems and services where the same compromised password was used."

It's not the first time phishing scams have been caught spreading via the popular social network.

In late August this year, security experts from Russia's Kaspersky Lab found cybercriminals were using the Messenger service to circulate malicious links to "advanced" forms of adware.