For months now, millions of Facebook users have been duped by the same phishing scam that cons users into handing over their account credentials.
According to a report outlining the phishing campaign, the scam is still active and continues to push victims to a fake Facebook login page where victims are enticed to submit their Facebook credentials. Unconfirmed estimates suggest nearly 10 million users fell prey to the scam, earning a single perpetrator behind the phishing ploy a huge payday.
According to a report published by researchers at PIXM Security, the phishing campaign began last year and ramped up in September. Researchers believe millions of Facebook users were exposed each month by the scam. Researchers assert that the campaign remains active.
Facebook has not replied to requests for comment for this report.
PIXM asserts the campaign is tied to a single person located in Colombia. The reason PIXM believes the massive Facebook scam is tied to a single individual is because each message links back to code “signed” with a reference to a personal website. Researchers state the individual went so far as responding to researcher inquiries.
How the Scam Worked
The crux of the phishing campaign centers around a fake Facebook login page. It might not look immediately suspicious, as it copies Facebook’s user interface closely.
When a victim enters their credentials and clicks “Log In,” those credentials are sent to the attacker’s server. Then, “in a likely automated fashion,” the authors of the report explained, “the threat actor would login to that account, and send out the link to the user’s Friends via Facebook Messenger.”
Any Friends that click the link are brought to the fake login page. If they fall for it the credential-stealing message is forwarded to their Friends.
Post-credential phish, victims are redirected to pages with advertisements, which also in many instances also included surveys. Each of these pages generates referral revenue for the attacker, researchers said.
When researchers reached out to the individual taking claim for the phishing campaign the individual “claimed to make $150 for every thousand visits [to the advertising exit page] from the United States.”
PIXM estimates nearly 400 million U.S.-based page views of the exit page. This, researchers said, “would put this threat actor’s projected revenue at $59M from Q4 2021 to present.” However, researchers don’t believe the criminal is being honest about their earnings, adding they are “probably exaggerating quite a bit.”
How the Scam Bypassed Security
The perpetrator of this campaign managed to circumvent the social media platform’s security checks by utilizing a technique that Facebook didn’t catch, PIXM said.
When a victim clicks on a malicious link in Messenger, the browser initiates a chain of redirects. The first redirect points to a legitimate “app deployment” service. “After the user has clicked,” the report’s authors explained, “they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well.”
Even if Facebook caught on to and blocked any one of these illegitimate domains, “it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID. We would often observe several used in a day, per service,” researchers said.
PIXM said it was able to access the hacker’s own pages for tracking the campaigns. The data indicated that nearly 2.8 million people fell for the scam in 2021 and 8.5 million have so far this year.
Researchers warn, “As long as these domains remain undetected by use of legitimate services, these phishing tactics will continue to flourish.”