Phishers try to lure 5K Facebook advertisers with fake business pages

More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign.

Check Point researchers say that they spotted about 40,000 phishing emails sent to their customers across the US, Europe, Canada, and Australia - and they were sent from the legitimate facebookmail.com domain.

While most organizations received fewer than 300 messages, one company alone was hit with more than 4,200.

In an emailed response to The Register’s questions, Check Point’s research team said that they don’t know how many people clicked on the phishing emails or who is behind the phishing attacks.

“The attackers’ technique appears to involve registering new domains and using them for only a few days (up to a week), which makes attribution and tracking difficult,” the researchers said, adding that the campaign is ongoing with a daily average of about 2,350 emails sent per day.

Because this number only represents detections across the vendor’s customer base, however, “the actual number of emails distributed is likely higher.”

To pull off this phishing expedition, the criminals created shell Facebook Business pages representing businesses that don't exist, and then used the Business invitation feature to send phishing emails that look like the real deal.

This makes the fake notifications look more convincing because they appear to come directly from Meta, plus the legit domain helps the phishing emails bypass security filters. 

Both of these things, plus urgent language like "account verification required," mean that recipients are more likely to click on the malicious Facebook link, and then be redirected to phishing websites that steal users' credentials and other sensitive information.

Targeted industries include automotive, education, real estate, hospitality, and finance, and while the emails mostly went to smaller and mid-size businesses, the phishing expedition also caught a "smaller number of large, well-known companies," according to the Check Point security researchers.

"These sectors, particularly those that rely on Meta platforms for customer engagement, are ideal targets because their employees frequently receive genuine 'Meta Business' notifications and are therefore more likely to trust such messages," the researchers note.

Meta did not immediately respond to The Register's inquiries about this campaign.

• FileFix attacks use fake Facebook security alerts to trick victims into running infostealers
• AI makes phishing 4.5x more effective, Microsoft says
• Don't click on that Facebook ad for a text-to-AI-video tool
• Chinese phishing kit helps scammers who send fake texts impersonate TikTok, Coinbase, others

We should add: Check Point provides email security to its customers, so on one hand the Monday report is saying that the vendors' products did what they were supposed to do - stop phishing attacks. However, because of the scale and global nature of this campaign, it's worth putting the word out, as users beyond Check Point's customers should be on alert.

"This campaign underscores a growing trend where cyber criminals weaponize legitimate services to gain trust and bypass security controls," the researcher team noted. "While the volume of emails may suggest a spray-and-pray approach, the credibility of the sender domain makes these phishing attempts far more dangerous than ordinary spam." ®

Updated on Nov 17 with comment from Check Point.