Threat actors have managed to net a staggering $59 million and steal hundreds of millions of credentials in a massive ongoing Facebook phishing attack. Experts say it’s only getting bigger.
Facebook phishing operation still ongoing
Researchers at PIXM have recently discovered a phishing operation carried out on Facebook that may have already claimed $59 million and almost half a billion credentials. Worse, researchers at phishing prevention company PIXM say it will only become more extensive.
The malicious campaign was spotted nearing the end of last year. The operation had only been running since the final quarter of 2021 but has already shown its jaw-dropping potential and achieved immense success. PIXM found around 400 malicious landing pages, each with 2.7 million visitors in 2021. In 2022, the phish has already lured in around 8.5 million new visitors.
This Facebook phishing attack brings nothing new under the sun in terms of flow – like many other social media attacks, it consists of using a compromised account to send a malicious link via DM. If clicked on, the link redirects the recipient through malvertising pages and ultimately to a fake Facebook login page.
“PIXM detected a fake Facebook login portal that a user had attempted to visit in September of 2021. The volume of pages from this campaign would steadily rise, peaking in April and May of 2022. The image seen represents the structure of the landing page, which would remain almost completely unchanged until this very day, as the campaign continues to grow,” the PIXM post wrote.
What makes the attack stand out is its ability to evade Facebook’s anti-phishing defenses by using app deployment services, such as glitch.me, famous.co, and amaze.co to begin the redirect chain.
“In terms of what lands in [FB user inboxes], it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well,” PIXM researchers noted.
A ginormous phish
This Facebook phishing campaign not only managed to operate even after being busted but on a massive scale too. PIXM discovered approximately 400 unique malicious landing pages. Upon arbitrarily analyzing 17 of them, experts found that each had an average of 985,228 page views. That means a total of 399,017,673 visits for 400 pages.
“We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign,” PIXM wrote.
The threat actors, who allegedly spoke to an OWASP researcher towards the end of last year, claimed they made $150 for every 1.000 visits from Facebook users located in the US. That means a total financial damage of $59 million, but PIXM researchers believe the perpetrator was exaggerating. In any case, “the revenue is still likely staggering considering the size of the campaign,” PIXM added.
The blog post also warned that using app hosting services to escape URL blocking had gained traction.
“A majority of security suites which analyze domains for suspicious properties would allow a connection to these domains to proceed, as several key metrics of trustworthiness would be satisfied by the parent domain hosting the site (in every case, a completely legitimate web service). As long as these domains remain undetected by the use of legitimate services, these phishing tactics will continue to flourish.”
The cybersecurity firm claims to have found the person behind the malicious operation and has provided evidence to INTERPOL and the police in Columbia, where the person they identified reportedly operates from.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.