Large-scale Facebook messenger phishing attack lures millions of people

Researchers revealed a massive scale of abuse of Facebook and Messenger

Millions of users fell for the scam with advertising pages and released user credentials to scammers

The phishing operation abused Facebook and Messenger to lure millions of people to advertising pages and sites where they get tricked into entering their account details got revealed. The campaign relied on messages via messenger encouraging to open the link, so the pop-up asked for the account credentials, and gullible people entered their user and password to the phishing form.^[1]

These threat actors who operated behind this campaign used methods to steal account credentials and hack them to send phishing messages further to the friends of the affected people. These sites also showed advertisements and promotional content. This was ho scammers generated significant amounts of revenue via online advertising commissions.^[2]

There are no details or findings of the start of the campaign, but the phishing page^[3] was the result of a series of redirects and page reroutes starting with the Facebook Messenger. Advertisements, scams, promotional content, and then a page that asks for the account credentials.

Traced back to scammers

The campaign was active since at least 2021, probably September. But mainly peaked in April-May 2022. The New York-based cybersecurity firm PIXM reported^[4] that threat actors were traced, and it was possible due to the scam page hosting a link that was related to the traffic monitoring app that was publicly available. Researchers managed to access it without particular authentication.

Researchers managed to get a snippet of the common code from the landing pages that contained a reference to the website seized and included in the investigation against a Colombian man identified as Rafael Dorado. Details around the takedown are not revealed, however.

Further looking up revealed additional campaigns, sites linked to the web development company in Colombia, and old sites that offer Facebook “like bots” and hacking services. All these findings were transferred to Interpol and Colombian Police, but the campaign is still active regardless of the takedown of many identified URLs. Threat actors got referral revenue from hose directs, so they made millions of dollars due to the massive scale of the operation.^[5]

Evading protection measures

The more Facebook account details scammers got the more additional messages could have been sent around, so these threat actors used automated tools to send those phishing links to friends of already compromised accounts. This was how the campaign grew massively in time.

Discovery showed that in 2021 those phishing sites were visited by 2.7 million users. Then in 2022, at least 8.5 million users got to the one particular scamming site. This is how quickly the campaign has grown. At least 405 unique usernames got discovered, and those users had a separate phishing page. Views on those websites range from 4.000 to 6 million views.

These scammers even managed to avoid the protection of social media. Facebook generally has those protection measures to stop phishing URLs in messages, but these campaigns used phishing messages with legitimate URL generation services. This way those pages were not blocked by hiding behind the legitimate application usage.