Threat actors have adopted a novel phishing campaign utilizing Facebook posts to lure in victims and deploying Facebook forms to target the login credentials of innocent individuals along with their PII (Personally Identifiable Information). Here is an in-depth look into the novel phishing campaign, sharing its workings, IoCs (Indicators of Compromise), recent attacks, and how to protect against the Meta-Phish Facebook phishing campaign.
The Metaverse is surrounded by a novel phishing campaign where threat actors are using Facebook posts as part of a chained attack to make away with login credentials and PII. Phishing attacks have targeted victims via social media platforms to lure them into providing confidential information or downloading malware to their devices.
However, this new Meta-Phish Campaign takes things to another level as one of the core features of the social media giant, i.e., Facebook posts are being used for malicious purposes. Let us show you how.
Meta-Phishing Facebook Phishing Campaign at a Glance
Security researchers at Trustwave Spiderlabs analyzed the new phishing campaign while looking into phishing activities on Facebook and Instagram. The security team identified a novel phishing campaign known as Meta-Phish, where threat actors employed social engineering tactics to lure innocent Facebook users using phony notifications to steal their login credentials by redirecting them to malicious phishing URLs (Uniform Resource Locators).
The threat actors make use of two critical practices in the Meta-Phish Facebook Phishing Campaign:
- Phishing Links: Instead of utilizing direct phishing links, the threat actors embedded links to genuine Facebook posts with legitimate content. The page had dummy “Page Support” content with Facebook profiles and additional links leading to external websites. One of the phishing URLs, “hxxps://meta[.]forbusinessuser[.]xyz/main[.]PHP,” impersonated Facebook’s authentic copyright appeal page so individuals would not be able to identify the link as phony as it would appear to be a real one.
- Copyright Forms: The impersonated copyright appeal page contains a Facebook form for users to fill out copyright appeals. However, once the individual fills and submits the form, all the information is sent to the threat actor’s Telegram account, along with the IP (Internet Protocol) address and the user’s location.
How Does the Latest Meta-Phish Facebook Post Phishing Attack Campaign Work?
The following points demonstrate how this campaign worked:
- Stolen Information: Once a user fills in the information on the form dubbed as the copyright appeal form, all their information is sent to the threat actors. The page is linked to a JavaScript file that contains a method to retrieve all data and send the form information to a Telegram account using a bot API (Application Programming Interface).
- Telegram Bot API: The bot API is a crucial part of the Meta-Phish campaign and accepts queries in HTTPS (Hypertext Transfer Protocol Secure). The Index.js page sending information via the API has another site, “ipinfo.io,” connected to it, which is utilized to steal the victim’s IP address and geographical location, which are also sent to the Telegram channel.
- Fake OTPs: Once the victim sends the information, the threat actors redirect them to another page with a fake OTP (One Time Password) verification that always fails the authentication, urging the users to click an option, “Need another way to authenticate?”
- Facebook Logins: Whenever any user clicked on the “Get Code” button on the page, they were redirected to a fake Facebook login page designed to harvest login credentials.
- Malicious Approaches: The threat actors also employed additional tactics to steal login credentials. Some of the most common ones shared by Trustwave’s security researchers included Fake Appeal Forms, Fake Account Restrictions, Fake Social Network Violation Pages, Fake Page Recovery Notifications, and more. All such pages led the victims to phishing pages on a network of domains created via free web hosting services.
TrustWave Uncovering the Messenger Chatbot
Trustwave also shared details about another phishing campaign targeting Meta users in June, where the threat actors leveraged emails utilizing the platform’s chatbot feature.
- Malicious Emails: The threat actors imitated Facebook, warning users of page terminations due to violating Facebook community guidelines and providing a chance to appeal the termination.
- Phishing Page: The threat actors gave a 48-hour ultimatum and a shortened URL hiding under the “Appeal Now” button that redirects users to personal account pages or messenger conversations.
- Malicious Messenger Chatbot: The chatbot showed the account termination page to the victims where the threat actors appeared as Facebook’s support team staff and utilized social engineering tactics to lead victims into filing a reply form that stole all data. They were then led to a password confirmation window designed to steal their Facebook passwords.
The threat actors stole all information and redirected victims to a fake OTP page to make the campaign appear more convincing. A similar approach is also seen in the Meta-Phish Facebook phishing campaign, which could indicate the same threat actor is behind both campaigns.
Meta-Phish Facebook Post Phishing IOCs
Threat actors use malicious URLs to carry out the Meta-Phish Facebook Phishing Campaign. Here are the links you need to look out for:
- hxxps://www[.]facebook[.]com/01oix2/posts/102106376025783
- hxxps://meta[.]forbusinessuser[.]xyz/?fbclid=123
- hxxps://meta[.]forbusinessuser[.]xyz/main[.]php
- hxxps://meta[.]forbusinessuser[.]xyz/checkpoint[.]php
- hxxps://api[.]telegram[.]org/bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo/
How to Protect Against Meta-Phishing and Facebook Phishing?
Phishing is one of the most significant and damaging cyberattacks, where threat actors trick innocent individuals and make away with sensitive information by impersonating a genuine website or organization. Facebook, one of the most significant social media giants, is a common target for phishing attacks as it is the platform for logging into other websites and applications.
To steer clear of the Meta-Phish campaign, you need to be on your guard, be wary of the above IoCs list, and:
- Be Wary of Unsolicited Messages / Requests: You should be on your guard if you receive an unsolicited message or request, especially when the individual claims to be a Facebook employee, asking you to download attachments or click on malicious links.
- Verify the Identity of Senders: Threat actors and phishers have a knack for using spoofed email addresses, so you should always match the addresses with the organization’s domain name. Such information is readily available on Google.
- Look Out for Grammatical Errors or Misspellings: Threat actors that employ phishing emails are not well-versed, and such emails generally contain multiple typos, misspellings, or grammatical errors that organizations need to make.
- Refrain from Downloading Attachments from Unknown Sources: You should never click on links or download any suspected malicious attachments unless the email is from an authentic source.
- Implement MFA: Multi-Factor Authentication is a cybersecurity boon and will protect your account by requiring additional authentication at login.
- Invest in a Good Anti-Virus: Reputable anti-virus software can detect and block phishing attacks or flag questionable content before the threat actors reach your device or account. You should invest in a good antivirus solution that comes with AI capabilities.
Following the above, you can avoid the Meta-Phishing Facebook phishing campaign. On the other hand, keeping up to date with the latest phishing campaigns can help you identify phishing attacks faster.
Final Words
Phishing is a constantly evolving threat that grows over time and will remain one of the most significant cyber threats as it opens doors to stolen information, organizational systems, accounts, and the deployment of malware and ransomware. Organizations need to follow the above guidelines and protect themselves against novel phishing attacks. Phishing attacks might take the shape of a known individual or entity as well since threat actors also tailor these for specific targets. Only by being vigilant on all fronts can individuals and organizations protect against this grave threat.