Facebook phishing campaign nets millions in IDs and cash

Hundreds of millions of stolen credentials and a cool $59 million

An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

Where this campaign differs is in how good it is at avoiding Facebook's phishing detection methods by using app deployment services like glitch.me, famous.co and amaze.co to begin a redirect chain. 

"In terms of what lands in [FB user inboxes], it's a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well," Pixm said in its blog post reporting the campaign. 

That's a lot of phish

The sheer scale of the campaign is remarkable. As mentioned above, Pixm identified some 400 unique phishing pages; an analysis of a random 17 of them showed an average of 985,228 page views. Extrapolate that to 400 pages and you get 399,017,673 visits. "We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign," Pixm said. 

The attacker, who reportedly spoke to an OWASP researcher in late 2021, said they made $150 for every thousand visits from US Facebook users. That puts the campaign's earnings at $59 million, but Pixm believes the person who spoke to OWASP was exaggerating. However, "the revenue is still likely staggering considering the size of the campaign," Pixm said.

Using app hosting services to circumvent URL blocking is a growing trend, Pixm said. "A majority of security suites which analyze domains for suspicious properties would allow a connection to these domains to proceed." Pixm noted that the domains hosting the malicious pages satisfy multiple key metrics of trustworthiness. 

Pixm claims to have identified the individual behind the campaign and has handed their evidence over to INTERPOL and the police in Columbia, where the person they identified allegedly operates out of. Hopefully that means this massive campaign draws to a close soon, but don't expect it to be the last.

"As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish," Pixm said. ®

Other stories you might like

  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Meta: We need 5x more GPUs to combat TikTok, stat
    And 30% fewer new engineers this year

    Comment Facebook parent Meta has reportedly said it needs to increase its fleet of datacenter GPUs fivefold to help it compete against short-form video app and perennial security concern TikTok.

    The oft-controversial tech giant needs these hardware accelerators in its servers by the end of the year to power its so-called discovery engine that will become the center of future social media efforts, according to an internal memo seen by Reuters that was written by Meta Chief Product Officer Chris Cox.

    Separately, CEO Mark Zuckerberg told Meta staff on Thursday in a weekly Q&A the biz had planned to hire 10,000 engineers this year, and this has now been cut to between 6,000 and 7,000 in the shadow of an economic downturn. He also said some open positions would be removed, and pressure will be placed on the performance of those staying at the corporation.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022