Researchers discovered a large-scale phishing campaign that exploited Facebook and Messenger to deceive millions of people into entering their account credentials and seeing adverts on phishing pages. The campaign managers used these stolen accounts to send more phishing messages to their acquaintances, resulting in a huge sum of money from online advertising commissions.
The effort peaked around April-May 2022, according to PIXM, a New York-based AI-focused cybersecurity business, but it has been active since at least September 2021. One of the discovered phishing URLs had a link to a traffic monitoring tool (whos.amung.us) that was publicly available without authentication, allowing PIXM to track down the threat actor and map the campaign.
While the origins of the effort are unknown, PIXM claims that victims were directed to phishing landing pages via a series of Facebook Messenger redirection. The threat actors employed automated tools to send new phishing links to the compromised account’s friends when more Facebook accounts were hacked, resulting in a tremendous increase in stolen accounts.
“A user’s account would be compromised and, in a likely automated fashion, the threat actor would log in to that account and send out the link to the user’s friends via Facebook Messenger,” explains PIXM in the report.
While Facebook has safeguards to prevent the spread of phishing URLs, the threat actors exploited a loophole to get around these protections. Genuine URL generating services, including litch.me, amaze.co, famous.co, and funnel-preview.com were employed in phishing emails, which would be difficult to ban because legitimate apps use them.
The researchers discovered that 2.7 million individuals had visited one of the phishing sites in 2021 after realizing they could acquire unauthenticated access to the phishing campaign statistics pages. This statistic increased to 8.5 million in 2022, indicating the campaign’s huge expansion. After digging deeper, the researchers discovered 405 different usernames used as campaign IDs, each with its own Facebook phishing page. The number of page views on these phishing URLs ranged from 4,000 to millions, with one reaching a staggering 6 million.
According to the researchers, these 405 identities are merely a small portion of the total number of accounts employed in the effort. The second wave of redirections begins once the victim inputs their credentials on the phishing landing page, bringing them to advertising pages, survey forms, etc. These redirections provide referral income for the threat actors, which is believed to be in the millions of dollars at this scale.
On all landing pages, PIXM discovered a similar code snippet containing a reference to a website seized as part of an investigation against a Colombian individual named Rafael Dorado. It’s unknown who took control of the domain and posted the message.
A reverse whois lookup turned up ties to a real web development business in Colombia and ancient websites selling Facebook “like bots” and hacking services. The results of PIXM’s inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, even though many of the identified URLs have gone offline.