Facebook phishing campaign nets millions in IDs and cash

Hundreds of millions of stolen credentials and a cool $59 million


An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

Where this campaign differs is in how good it is at avoiding Facebook's phishing detection methods by using app deployment services like glitch.me, famous.co and amaze.co to begin a redirect chain. 

"In terms of what lands in [FB user inboxes], it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well," Pixm said in its blog post reporting the campaign. 

That's a lot of phish

The sheer scale of the campaign is remarkable. As mentioned above, Pixm identified some 400 unique phishing pages; an analysis of a random 17 of them showed an average of 985,228 page views. Extrapolate that to 400 pages and you get 399,017,673 visits. "We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign," Pixm said. 

The attacker, who reportedly spoke to an OWASP researcher in late 2021, said they made $150 for every thousand visits from US Facebook users. That puts the campaign's earnings at $59 million, but Pixm believes the person who spoke to OWASP was exaggerating. However, "the revenue is still likely staggering considering the size of the campaign," Pixm said.

Using app hosting services to circumvent URL blocking is a growing trend, Pixm said. "A majority of security suites which analyze domains for suspicious properties would allow a connection to these domains to proceed." Pixm noted that the domains hosting the malicious pages satisfy multiple key metrics of trustworthiness. 

Pixm claims to have identified the individual behind the campaign and has handed their evidence over to INTERPOL and the police in Columbia, where the person they identified allegedly operates out of. Hopefully that means this massive campaign draws to a close soon, but don't expect it to be the last.

"As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish," Pixm said. ®


Other stories you might like

  • $6b mega contract electronics vendor Sanmina jumps into zero trust
    Company was an early adopter of Google Cloud, which led to a search for a new security architecture

    Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.

    Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.

    With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.

    Continue reading
  • Meta agrees to tweak ad system after US govt brands it discriminatory
    And pay the tiniest of fines, too

    Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.

    Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.

    This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."

    Continue reading
  • Metaverse progress update: Some VR headset prototypes nowhere near shipping
    But when it does work, bet you'll fall over yourselves to blow ten large on designer clobber for your avy

    Facebook owner Meta's pivot to the metaverse is drawing significant amounts of resources: not just billions in case, but time. The tech giant has demonstrated some prototype virtual-reality headsets that aren't close to shipping and highlight some of the challenges that must be overcome.

    The metaverse is CEO Mark Zuckerberg's grand idea of connected virtual worlds in which people can interact, play, shop, and work. For instance, inhabitants will be able to create avatars to represent themselves, wearing clothes bought using actual money – with designer gear going for five figures.

    Apropos of nothing, Meta COO Sheryl Sandberg is leaving the biz.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading

Biting the hand that feeds IT © 1998–2022