A massive ongoing Facebook phishing attack has been reported since October 2021. This can be used to trick millions of users into visiting phishing sites using Facebook and Messenger. Users can be tricked into inputting their account information and seeing advertisement.
These threat actors use techniques to obtain account credentials and hack them to send phishing messages to the victims’ friends. According to PIXM, a New York-based AI-focused business, the attack peaked around Feb-May 2022.
There are no details or findings about the campaign’s beginning. But, starting with Facebook Messenger, the phishing was the result of a series of redirects.
Harm on a massive scale
Although the sources of the attack are unknown, PIXM claims that victims were directed to Facebook phishing landing page via a series of Facebook Messenger redirection.
Researchers were able to extract a part of identical code from the landing pages that provided a link to the seized website. However, no details about the takedown have been published.
Malicious actors used automated systems to deliver more phishing links to the hacked account’s friends. Resulting in a significant increase in stolen accounts.
According to PIXM in a report:
The account of a user would be hacked, and it would very certainly be done automatically. Malicious actors would enter that account and send a link to the user’s Facebook friends through Messenger.
Malicious actors developed a method to get around Facebook’s security against the spread of phishing URLs.
According to analysts, 2.8 million people visited one of the phishing sites in 2021. This statistic increased to 8.7 million in 2022, showing the campaign’s massive growth in the Facebook phishing attack. Despite the shutdown of many of the identified URLs, the campaign is still active, according to Interpol and Colombian police.
A fresh round of redirections starts once the victim sends their credentials on the Facebook phishing landing page. They may go to advertising pages, survey forms, and so forth using the URL. These redirections provide malicious actors the referral revenue, which is believed in the millions of US dollars at this size.
Getting around security measures
As the attackers had more Facebook account data, the more messages were sent out. As a result, attackers used automated systems to deliver the phishing URLs to friends of accounts that had already been compromised. This was how the campaign exploited in popularity over time.
There were at least 409 different usernames detected, each with its own phishing page. There are between 4,000 and 6 million views on the websites.
Scammers were even able to get around the social media’s protection to prevent phishing URLs in messages, which Facebook normally uses. These attacks, on the other hand, used phishing messages to generate valid URLs. The pages were allowed since they masked themselves under legitimate activity.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.
