Details of the Facebook Messenger Phishing Campaign
According to PIXM, the phishing scam potentially affected hundreds of millions of Facebook users. The threat actor successfully stole users’ login credentials and raked in millions of dollars in advertising revenue. The scheme first came to PIXM’s attention in September 2021, when PIXM researchers found a fake Facebook login portal. Further investigation revealed that the portal led to a server that collected users’ login credentials. The researchers also found a link to a traffic monitoring application, where they had unfettered access to the portal’s tracking metrics, including its traffic data and that of hundreds of other landing pages belonging to the threat actor. Thanks to this discovery, PIXM could deduce that the hackers used several fake landing pages to steal login credentials. The traffic data for one of the malicious sites showed that 2.7 million Facebook users visited the site in 2021, and 8.5 million in 2022.
Campaign Bypassed Facebook’s Protection Mechanisms
As PIXM researchers dug deeper, they discovered that some of the phishing links originated from Facebook. This means the actor probably used the stolen credentials to log in to accounts, and then share malicious links to their victims’ Facebook contacts/friends via Messenger. Phishing and credential harvesting scams are a massive problem, and Facebook’s security team is no stranger to this issue. The company has protection mechanisms in place to detect malicious links and block access to them. However, the threat actor could bypass Facebook’s protection mechanisms by using a variety of legitimate app deployment services — such as glitch.me, famous.co, amaze.co, and funnel-preview.com — to generate and deploy URLs. These sites are generally used for legitimate purposes. As a result, Facebook could not automatically detect and block the malicious links. Once a user clicks on the link, they are redirected to the phishing site where their credentials are stolen.
Threat Actor Profited From Victims
Apart from potentially stealing millions of Facebook users’ login credentials, the threat actor also profited from ad revenue. PIXM’s access to traffic data provides key insights into the unique page views generated through the campaign. “So far, we have identified roughly 400 unique usernames, all connected to different facebook phishing landing pages, but all associated with the same campaign. When taking an average from just 17 random usernames, we see each unique username receiving 985,228 pageviews so far,” PIXM stated. “When extrapolated over the 400 unique usernames we identified, that’s 399,017,673 total sessions, and rising fast. We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign,” it added. PIXM estimates that the threat actor has made close to $60 million so far. Although certain landing pages are now offline, the campaign remains active. The researchers have handed over their findings to authorities in Colombia, as well as to INTERPOL. At the moment, the threat actor remains at large, and their identity is unknown. Meta has some of the most popular internet and social media applications available today, with billions of users. As a result, malicious actors constantly target Meta’s services, like Facebook and Instagram. The best way to stay safe while using these services is to be aware of the threats out there and protect yourself online. You can learn more by reading our article on the top Facebook scams of 2022 and how to avoid them.