Skip to content
For some months, millions of Facebook users have been fooled by the same phishing fraud that cons users into handing over their account credentials.
One well put together phishing message sent via Facebook Messenger caught 10m Facebook users – & counting.
According to a report outlining the phishing campaign, the fraud is still active & continues to direct victims to a fake Facebook login page, where victims are invited to submit their Facebook credentials. Unconfirmed estimates suggest nearly 10m users fell victim to the fraud, earning a single crook behind the phishing ploy a large amount of money.
Millions Exposed
Comments a report published by researchers at PIXM Security, the phishing campaign began in 2021 & increased in Sept. Researchers think millions of Facebook users were exposed each month by the con. Researchers state that the campaign remains active.
Facebook has not replied to requests for comment for this report.
PIXM explains that the campaign is tied to 1 person located in Colombia. The reason PIXM believes the massive Facebook fraud is tied to a single individual is because each message links back to code “signed” with a reference to a personal website. Researchers state the person went as far as responding to researcher inquiries.
How the Fraud Worked
The heart of the phishing campaign is a fake Facebook login page. It might not look immediately suspicious, as it copies Facebook’s user interface closely.
When a victim enters their credentials & clicks “Log In,” those credentials are sent to the attacker’s server. Then, “in a likely automated fashion,” the authors of the report explained, “the threat actor would login to that account, & send out the link to the user’s Friends via Facebook Messenger.”
Any Friends that then click the link are brought to the fake login page. If they are deceived, then the credential-stealing message is forwarded to their Friends.
Surveys
Post-credential phish, victims are redirected to pages with advertisements, which also in many instances also included surveys. Each of these pages generates referral revenue for the attacker, researchers outlined.
When researchers reached out to the individual taking claim for the phishing campaign the individual “claimed to make $150 for every 1,000 visits to the advertising exit page from the US.”
PIXM estimates nearly 400m US-based page views of the exit page. This, researchers stated, “would put this threat actor’s projected revenue at $59m from Q4 2021 to present.” However, researchers do not believe the criminal is being honest about their earnings, adding they are “probably exaggerating quite a bit.”
Bypassed Security
The originator of this campaign managed to evade the social media platform’s security checks by using a technique that Facebook did not catch, PIXM explained.
When a victim clicks on a malicious link in Messenger, the browser starts a chain of redirects. The 1st redirect points to a legitimate “app deployment” service.
Re-Directed
“After the user has clicked,” the report’s authors explained, “they will be redirected to the actual phishing page. However, in terms of what lands on Facebook, it is a link generated using a valid service that Facebook could not outright block without blocking legitimate apps & links as well.”
Even if Facebook caught on to & blocked any one of these illegitimate domains, “it was trivial & based on the speed we observed, likely automated to spin up a new link using the same service, with a new unique ID. We would often observe several used in a day, per service,” researchers observed.
Hacker’s Own Pages
PIXM commented that it was able to access the hacker’s own pages for tracking the campaigns. The data indicated that nearly 2.8m people fell for the con in 2021 & 8.5m have so far this year.
Researchers concluded, “As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish.”
