Facebook posts and fake forms are being utilized by threat actors in a novel phishing campaign to steal login credentials and Personally Identifiable Information (PII). This text shares the details of the phishing campaign, how it works, the Indicators of Compromise, recent phishing campaigns, and how to protect against the Meta-Phish Facebook phishing campaign.
A new phishing campaign is circling Meta again, using Facebook posts as part of a chain attack that leads to the theft of login credentials and PII (Personally Identifiable Information). It is not uncommon for phishing attacks to use social media platforms, including Facebook, as a way to lure victims into giving away sensitive information or downloading malicious software. However, this new phishing campaign takes it to another level since one of the platform’s entertainment cores, its posts, can be full of threats. Let us see how.
Meta-Phish Facebook Phishing Campaign at a Glance
Researchers at Trustwave Spiderlabs have been analyzing phishing campaigns on Facebook and Instagram for quite some time. Recently, Trustwave’s team identified a new phishing campaign dubbed Meta-Phish, that uses social engineering tactics to lure victims via phony notifications and steals their credentials by redirecting them to phishing pages. The two most important things that the phishing campaign leverages are:
1. Phishing Links: Instead of straightforward phishing links, the email contains links to genuine Facebook posts. The post’s content seems legitimate since it uses dummy “Page Support” Facebook profiles and links leading to external websites. The main phishing URL (Uniform Resource Locator), identified as “hxxps://meta[.]forbusinessuser[.]xyz/main[.]PHP,” impersonates the copyright appeal page of Facebook.
2. Copyright Forms: The Copyright appeal page contains a Facebook form for copyright appeals. Once the victim fills in the details in the form and clicks the send button, all form information is sent to the threat actors. Not only this but the IP (Internet Protocol) address and the victim’s location are also captured along with the personal information filled in the form.
How Does the Latest Meta-Phish Facebook Post Phishing Attack Campaign Work?
- Stolen Information: Once the victim fills in the information on the copyright appeal form, all their data is sent to the threat actor. The page links to a JavaScript file with a function that retrieves all form information when triggered and sends it to a Telegram account utilizing a Telegram bot API (Application Programming Interface).
- Telegram Bot API: The Telegram bot API is crucial to stealing the entered information. The bot accepts queries only in HTTPS (Hypertext Transfer Protocol Secure). Furthermore, the Index.js page uses an external site, “ipinfo.io,” to get the victim’s IP address and geographical locations, which are also sent to the threat actors using the Telegram Bot API.
- Fake OTPs: Once the process is complete, the victim is redirected to another page with a fake OTP (One Time Password) verification mechanism that always leads to an error message, forcing the victim to click on “Need another way to authenticate?”
- Phony Facebook Logins: On clicking on this button, the user has to click on “Get Code” and is redirected to a fake Facebook Log page designed to impersonate the genuine one and harvest login credentials.
- Multiple Approaches: The threat actors run a sophisticated campaign and steal credentials via other social engineering tactics. Some examples that Trustwave shared in their blog included Fake Appeal Form pages, Fake Account Restrictions pages, Fake Social Network Violation pages, and Fake Page Recovery Notifications pages, all of which redirect victims to phishing pages on newly registered domains created with free web hosting services.
Previous Attacks on Facebook: The Messenger Chatbot
Trustwave also uncovered another phishing campaign revolving around Meta this year in June, where the threat artists were leveraging emails that utilized Meta’s Messenger chatbot feature.
- Malicious Email: The threat actors imitated Facebook, prompting the user that their page would be terminated due to Facebook community standards violations, giving the victims a chance to appeal the termination.
- Phishing Page: The victims were given 48 hours with a shortened URL hiding in the “Appeal Now” button in the email redirected victims to a personal account page or a Messenger conversation that could be entered with the Facebook account.
- Messenger Chatbot: The chatbot repeated the account termination message, and the threat actors impersonated Facebook’s support team and employed social engineering tactics, leading the victims to fill out a reply form that gathered their data, leading them to a password confirmation window that stole their Facebook passwords.
All the stolen information was posted to the threat actor’s database and redirected victims to a fake OTP page to help sell the lie, so they remained inconspicuous of the stolen information and credentials. The new campaign also shares a similar approach indicating that the threat actors behind both could be the same.
Meta-Phish Facebook Post Phishing IOCs
You need to look out for the following malicious URLs that are being used by cybercriminals to lure victims with this campaign. These are.
- hxxps://www[.]facebook[.]com/01oix2/posts/102106376025783
- hxxps://meta[.]forbusinessuser[.]xyz/?fbclid=123
- hxxps://meta[.]forbusinessuser[.]xyz/main[.]php
- hxxps://meta[.]forbusinessuser[.]xyz/checkpoint[.]php
- hxxps://api[.]telegram[.]org/bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo/
How to Protect Against Meta-Phish and Facebook Phishing?
Phishing is a type of cyber attack in which hackers try to trick people into revealing sensitive information, such as passwords or credit card numbers, by pretending to be a legitimate company or organization. Facebook is a common target for phishing attacks, as many people use the platform to log in to other websites and apps and may be more likely to trust communications from the company.
To steer clear of the Meta-Phish campaign, it would be best to look out for the above IOCs and avoid a similar approach on Facebook. You should also:
- Be suspicious of unexpected messages or requests: Be cautious if you receive a message or request from someone claiming to be from Facebook or asking you to click on a link or download an attachment.
- Check the sender’s email address: Phishers often use fake or spoofed email addresses to try to look legitimate. Make sure the address matches the organization’s real domain name.
- Look for misspellings or unusual formatting: Phishing emails often contain typos or other errors that a legitimate company would not make.
- Don’t click on links or download attachments from unknown sources: If you are unsure whether a message or request is legitimate, do not click on any links or download any attachments.
- Use two-factor authentication: This can help to protect your account even if your password is compromised.
- Use reputable antivirus software: This can help to detect and block phishing attacks before they reach your computer or device.
By following these tips, you can help to protect yourself against Facebook phishing and other cyber threats. It is also important to be aware of the latest threats and to keep your security software and practices up to date.
Conclusion
Phishing is a constantly evolving threat that has grown more sophisticated over time and is likely to continue to evolve. With more targeted and personalized phishing attacks, hackers are increasingly using social engineering tactics to tailor their attacks to specific individuals or organizations, making them more difficult to detect.
It is important for individuals and organizations to stay vigilant and implement robust cybersecurity measures to protect against it. This includes using strong and unique passwords, being cautious of unexpected messages or requests, and using MFA whenever possible.