Hacker holds rectangular "Facebook" sign

Facebook phishing ads harvests over 615,000 user credentials

Over recent years, hackers and cyber criminals have employed new and increasingly sophisticated tactics in an attempt to exploit their victims. Granted, some are a more elaborate manipulation of certain vulnerabilities, however others involve a more traditional phishing approach. The latter being both the most common and the most effective.

In general, phishing scams tend to bait victims into clicking malicious links, taking them to fake landing pages and in turn harvesting their credentials. They may also try to steal or encrypt files as part of a ransomware scam.

A recent phishing campaign stealing over 615,000 Facebook user credentials has compromised mobile numbers, Facebook login details, email ID, password, name and IP address details. If the user had credit card information or a home address on their account, it is likely that the hackers would have that information as well.

The hackers redirected the users who clicked on the ads to a GitHub phishing page that resembled Facebook’s landing page. The campaign was spotted in Asian countries such as Malaysia, Philippines, Nepal, Pakistan, besides Egypt amongst others.

ThreatNix, a cybersecurity research firm based in Nepal

“The campaign is using localized Facebook posts and pages spoofing legitimate entities and targeted ads for specific countries. Links within these posts then redirected to a static GitHub page website that contained a login panel for Facebook. All these static GitHub pages forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain owned by the phishing group.”

The hackers used legitimate companies as a cover for their ads. One example found by researchers was supposedly from Nepal Telecom, offering 3GB data for free. As the victims clicked the link they were redirected to a GitHub page where they were asked to input their login details for Facebook.

In order to bypass Facebook’s detection, they shortened URLs that originally directed to a non-malicious page. Subsequently once the page was approved, these shortened URLs were modified to redirect the victim to a phishing landing page.

“Following some digging we were able to gain access to those phished credentials. At the time of writing this post, there appear to be more than 615,000 entries and the list is growing at a rapid pace of more than 100 entries per minute.”

Researchers – ThreatNix

These phishing scams are all too common unfortunately. Another scam impersonating the video communications giant Zoom, similar to this one has also recently been circulating the internet.

Victims will receive an email, text or some other form of social media message appearing to be from Zoom themselves, stating that their account has had a suspension of some kind or that they have missed an important meeting, ensuing panic in the victim.

This is a very common tactic that is abused by these hackers in a bid to try and make the victim act quickly and without thought. Therefore tempting them to click the link embedded in the message in order to fix whatever problem there is with their account.

As is expected in these attacks, the link redirects the user to a very convincing (but fake) landing page, in which the hackers steal victims’ credentials.

2020 saw enormous increases in phishing and cybercrime activity. 2021 does not look to be reversing this trend. Educate your users before the hackers do it for you.

Does everybody in your organisation know how to spot a phishing email such as these? Find out in our Free Click-Prone® Test today.

Recent posts