The talk of the town is the phishing campaign on Facebook that has reportedly duped millions into providing their login credentials to cybercriminals. The Facebook phishing operation is the latest in a long line of cybersecurity news that has shaken people worldwide.
Facebook Messenger is circling various phishing pages, tricking users into providing their login credentials to threat actors. These compromised accounts are then used further to expand the phishing messages to friends and family accounts, farming more credentials to compromise additional accounts.
These phishing pages are also full of online advertisements, helping the threat actors behind the attack generate significant earnings while also expanding the phishing attack surface.
What is Happening During the Facebook Phishing Campaign?
Facebook Messenger is floating with countless phishing pages that redirect you to fake web pages, which are only accessible once you enter your login credentials into the fake Facebook login page that appears.
Various phishing pages originated from Facebook Messenger, a number that grew in proportion to the number of stolen Facebook accounts, indicating the presence of automated tools that sent phishing links to the friends of a stolen account, leading to widespread phishing and growth in stolen Facebook accounts.
Facebook, one of the social media giants in the world, has adequate protection and security measures to stop phishing links. Still, the cybercriminals behind the phishing campaign have also been a step ahead, employing legitimate URL (Uniform Resource Locator) services. Some of these include litch.me, amaze.co, and famous.co, allowing the phishing links to bypass Facebook’s security.
Facebook Phishing Campaign in Detail
There is a massive scale of abuse on Facebook messenger that PIXM Security has uncovered. The attacks were frequent in 2022, but they started in September last year and included a fake Facebook login page.
Facebook’s security was unable to detect this credential harvesting phishing campaign as the cybercriminal circumvents the phishing URLs from being blocked by the usage of authentic app deployment services as the first link of the URL redirecting chain.
These login pages are not only limited to Facebook’s login pages but also redirect users to fake pages full of advertisements, online surveys, and more which indicate that the cybercriminal behind the Facebook phishing campaign is already earning millions.
On close inspection, PIXM found a reference to the original server where the stolen login credentials are hosted and a link to traffic monitoring tools where PIXM discovered other phishing pages. Furthermore, the views on the phishing pages used on Facebook revealed a significant spike from 2.7 million in 2021 to 8.5 million in 2022.
These Facebook phishing pages have over 400 unique identifiers, each with between 4000 and millions of views, with one reportedly having over 6 million. However, these discovered ones represent only a small fraction of the real number.
Image sourced from gridinsoft.com
Who is Behind the Facebook Phishing Attack?
PIXM has also successfully identified the threat actor behind the Facebook phishing campaign, which is attributed to a certain “Bendercrack.com,” a website seized in January 2021 and is currently under investigation.
The threat actor was identified as many phishing pages shared a common code snippet that included the comment “Desarrollado por BenderCrack.com,” which is Spanish for “Powered by BenderCrack.com.”
The BenderCrack website is not accessible, but its archived copies were examined by PIXM and revealed the threat actor’s email, ‘firstname.lastname@example.org’, which further revealed the threat actor is based out of Colombia. PIXM passed all its discoveries to INTERPOL and the Colombian Police. You can view the detailed report here.
How to Keep Safe from the Facebook Phishing Campaign?
Facebook’s Phishing Campaign is still under investigation and ongoing, which means you are bound to come across a phishing link that will harm you. However, by following some simple steps, you can easily avoid the Facebook Messenger phishing links.
Do Not Open Unknown Links: Phishing is done via unknown links redirecting you to fake websites and pages designed to steal your information. If you encounter any unknown or unsolicited links in your Facebook Messenger inbox, you should refrain from tapping or clicking on them.
Do Not Provide Login Credentials: A major part of the Facebook Phishing Campaign is using genuine user accounts to spread malicious phishing emails. Furthermore, one of your friend’s accounts could also be compromised, leading you to a fake page. If you find yourself on a fake page requiring you to sign in to Facebook again, you should avoid it altogether and report the page. You should also confirm with your friend or family member if they are the link’s sender.
Implement 2FA: Facebook’s Two-Factor Authentication is an excellent way of securing your account and protecting it. Furthermore, alerts about unrecognized Facebook logins can also help strengthen Facebook account security by alerting you about suspicious logins.
Facebook Messenger also integrates with your carrier’s services, so you should also avoid unsolicited messages or links you receive as texts. You should also report strange emails and phishing messages to email@example.com.
The Facebook Messenger phishing scam is just the latest in a long line of romance scams, lottery scams, phishing emails, bogus job and giveaways, and shopping scams that have been observed on social media platforms.
While the latest phishing scam on Facebook is dangerous and can result in losing access to your account and the compromised account being used for further spreading phishing emails, you can easily protect your account by following the above steps.
However, with protection from phishing becoming the centerpiece of attention everywhere, the Facebook Messenger phishing campaign has certainly raised questions about the security of Facebook and its applications offer.