Researchers revealed a large-scale phishing campaign aimed at luring millions of Facebook and Messenger users. Users are directed to phishing pages, where their credentials are taken and advertisements are presented in order to generate cash.
The phishing scheme
The campaign began in September 2021 and reached its height in April–May 2022. The stolen accounts were used to send more phishing messages to their acquaintances, exponentially spreading the campaign and collecting more cash through ad display.
The attacker was followed down and the campaign was traced back to one of the phishing pages that had a link to a traffic monitoring app (whos.amung.us) that could be accessed without authentication.
It’s unclear how the campaign chose its victims at first. Researchers believe that victims were sent to phishing destination pages via a series of Facebook Messenger redirection.
Researchers discovered an identical code fragment in all landing pages, which featured a reference to a website that had been confiscated as part of a Colombian man’s inquiry.
Following the theft of more Facebook accounts, the attackers employed automated systems to send more phishing links to friends of the compromised accounts, resulting in a substantial increase in the number of stolen accounts.
Genuine URL generating services (e.g. litch[.]me, famous[.]co, amaze[.]co) were utilised in the phishing messages, which are difficult to block with security software because these services are known to be used by legitimate apps.
A new round of redirections begins once a victim enters their account details on the phishing landing page. The victims are redirected to advertising pages and survey forms, among other things, as a result of this redirection.
Around 2.7 million people accessed one of the phishing portals in 2021. This year’s total has risen to 8.5 million.
There were also 405 other usernames used as campaign IDs, each with its own Facebook phishing page.
These phishing pages received 4,000 views at first, but that number has already risen to millions, with one page receiving 6 million views.
Even though majority of the detected URLs are now offline, the phishing activity continues. Furthermore, attackers have had success using genuine services to get around URL filtering. Users are advised to remain watchful and use two-factor authentication to keep protected.