Facebook phishing campaign nets millions in IDs and cash

An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

Where this campaign differs is in how good it is at avoiding Facebook's phishing detection methods by using app deployment services like glitch.me, famous.co and amaze.co to begin a redirect chain. 

"In terms of what lands in [FB user inboxes], it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well," Pixm said in its blog post reporting the campaign. 

That's a lot of phish

The sheer scale of the campaign is remarkable. As mentioned above, Pixm identified some 400 unique phishing pages; an analysis of a random 17 of them showed an average of 985,228 page views. Extrapolate that to 400 pages and you get 399,017,673 visits. "We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign," Pixm said. 

• Microsoft seizes 41 domains tied to 'Iranian phishing ring'
• Watch out for phishing emails that inject spyware trio
• Cops' Killer Bee stings credential-stealing scammer
• Suspected phishing email crime boss cuffed in Nigeria

The attacker, who reportedly spoke to an OWASP researcher in late 2021, said they made $150 for every thousand visits from US Facebook users. That puts the campaign's earnings at $59 million, but Pixm believes the person who spoke to OWASP was exaggerating. However, "the revenue is still likely staggering considering the size of the campaign," Pixm said.

Using app hosting services to circumvent URL blocking is a growing trend, Pixm said. "A majority of security suites which analyze domains for suspicious properties would allow a connection to these domains to proceed." Pixm noted that the domains hosting the malicious pages satisfy multiple key metrics of trustworthiness. 

Pixm claims to have identified the individual behind the campaign and has handed their evidence over to INTERPOL and the police in Columbia, where the person they identified allegedly operates out of. Hopefully that means this massive campaign draws to a close soon, but don't expect it to be the last.

"As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish," Pixm said. ®