Facebook phishing campaign nets millions in usernames and money • The Register


An ongoing phishing campaign targeting Facebook users may have already yielded hundreds of millions of credentials and claimed $59 million, and it’s only getting bigger.

Identified by security researchers at phishing prevention firm Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. A single landing page – out of around 400 Pixms found – attracted 2.7 million visitors in 2021 and has already attracted 8.5 million viewers to visit it in 2022.

The flow of this phishing campaign is not unique: like many others targeting users on social networks, the attack comes in the form of a link sent via DM from a compromised account. This link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately ending up on a fake Facebook login page. This page, in turn, leads the victim to advertising landing pages that generate additional revenue for the campaign organizers.

Where this campaign differs is in its ability to evade Facebook’s phishing detection methods by using app deployment services like glitch.me, Famous.co, and amaze.co to start a chain of redirects.

“In terms of what lands in [FB user inboxes]it’s a link generated using a legitimate service that Facebook couldn’t block without also blocking legitimate apps and links,” Pixm said in its blog post reporting on the campaign.

That’s a lot of phishing

The scale of the campaign is remarkable. As mentioned above, Pixm has identified some 400 unique phishing pages; an analysis of 17 of them at random showed an average of 985,228 pageviews. Extrapolate that to 400 pages and you get 399,017,673 hits. “We estimate that the 400 usernames identified so far, and all of their unique phishing pages, represent only a fraction of this campaign,” Pixm said.

The attacker, who reportedly spoke to an OWASP researcher in late 2021, said he earned $150 per thousand visits from US Facebook users. That brings the campaign’s revenue to $59 million, but Pixm thinks the person who spoke to OWASP was exaggerating. However, “earnings are still likely staggering given the size of the campaign,” Pixm said.

Using app hosting services to circumvent URL blocking is a growing trend, Pixm said. “The majority of security suites that scan domains for suspicious properties would allow a connection to those domains to continue.” Pixm noted that the domains hosting the malicious pages meet several key reliability measures.

Pixm claims to have identified the individual behind the campaign and has turned over their evidence to INTERPOL and Columbia Police, where the person they identified is believed to be operating. Hopefully that means this massive campaign ends soon, but don’t expect it to be the last.

“As long as these domains remain undetected through the use of legitimate services, these phishing tactics will continue to thrive,” Pixm said. ®


About Author

Comments are closed.