A large-scale phishing operation held on Facebook and Messenger to lure millions of users onto phishing pages has been uncovered by researchers. The aim of the operation was to trick victims into entering their credentials and see adverts.
These stolen account details were used to send further phishing messages to victim’s friends. The aim being to generate significant online advertising commission revenue.
The New-York based AI-focused cybersecurity firm, PIXM, said that the campaign, despite being active since September 2021, peaked in April/May 2022.
PIXM traced the threat actor and was able to map the campaign due to one of the identified phishing pages hosting a link to a publicly accessible traffic monitoring app (whos.amung.us).
PIXM said that victims arrived at phishing pages after being redirected from Facebook Messenger. Automated tools helped the threat actors send further phishing links to the compromised account’s friends. This created a massive growth in stolen accounts.
The threat actors used a trick to bypass Facebook’s anti-phishing protection measures. The phishing messages used legitimate URL generation services, such as famous.co, amaze.co, and litch.me. These are used by legitimate apps so would be hard for Facebook to block. In 2021, 2.7 million users had visited one of the phishing portals, researchers found. In 2022, this figure increased to 8.5 million.
The researchers further identified 405 unique usernames used as campaign identifiers, linked to separate Facebook phishing pages. However, the researchers suspect that these usernames only represent a fraction of the accounts used for the campaign.
The threat actors receive referral revenue from redirects after victims enter their credentials on phishing landing pages. The revenue is estimated to be millions of USD.
PIXM was able to find a common code snippet on all of the landing pages it identified. These pages contained a shared reference to a previously seized website that constitutes part of an investigation against a Colombian man identified as Rafael Dorado. It is unknown who placed the notice on the site and seized the domain. PIXM shared the results of its investigation with the Colombian police and Interpol.
The phishing campaign is still ongoing.