A new phishing campaign is using Facebook posts as part of its attack chain to trick users into giving up their account credentials and personally identifiable information (PII).
The emails sent to the targets claim to be a copyright infringement issue on one of the recipient’s Facebook posts, warning that their account will be deleted within 48 hours if no appeal is filed.
The link to appeal the account deletion is a real Facebook message on facebook.com, helping hackers bypass email security solutions and ensure their phishing messages land in the inbox of target.
The Facebook post pretends to be “Page Support”, using a Facebook logo to appear as if the company is running it.
However, this message includes a link to an external phishing site named after Meta, the company that owns Facebook, to slightly reduce the chances of victims getting the scam.
Trustwave analysts who uncovered the phishing campaign found the following three URLs, which remain online at the time of writing.
- meta[.]for the professional user[.]xyz/?fbclid=123
- meta[.]for the professional user[.]xyz/main[.]php
- meta[.]for the professional user[.]xyz/checkpoint[.]php
Phishing sites are carefully designed to make them appear like the real Facebook copyright appeal page, containing a form where victims are asked to enter their full name, email address, phone number and their Facebook username.
When submitting this data, the page also collects the victim’s IP address and geolocation information and exfiltrates it all to a Telegram account under the threat actor’s control.
Threat actors can collect the additional information to bypass fingerprint protections or security questions while taking control of the victim’s Facebook account.
Meanwhile, a redirect takes the victim to the next phishing page, which displays a fake 6-digit one-time password (OTP) request with a timer.
Whatever code the victim enters will result in an error, and if the message “Need another way to authenticate?” is clicked, the site redirects to the actual Facebook site.
Trustwave analysts have also discovered that hackers use Google Analytics on their phishing pages to help them track the effectiveness of their campaigns.
Trustwave reports that it has found numerous Facebook accounts using fake posts designed to appear as support pages that lead victims to phishing websites.
These posts use URL shorteners to link to phishing sites to avoid being flagged and deleted by the social media platform.
Victims can land on these posts via phishing emails, as in the campaign featured in this report, or via instant messages received on Facebook.