Researchers discovered a large-scale phishing campaign that exploited Facebook and Messenger to deceive millions of people into entering their account credentials and viewing adverts on phishing pages.
These stolen accounts were used by the campaign operators to send more phishing messages to their acquaintances, resulting in huge money from online advertising commissions.
The effort peaked in April-May 2022, according to PIXM, a New York-based AI-focused cybersecurity business, but it has been active since at least September 2021.
Because one of the identified phishing URLs had a link to a publicly accessible traffic monitoring program (whos.amung.us), PIXM was able to track down the threat actor and map the campaign.
Abuse on a massive scale
While the origins of the effort are unknown, PIXM claims that victims were directed to phishing landing pages via a series of Facebook Messenger redirects.
The threat actors employed automated tools to send new phishing links to the compromised account’s friends when more Facebook accounts were hacked, resulting in a tremendous increase in stolen accounts.
“A user’s account would be hacked, and the threat actor would check in to that account in a probable automated method and send out the link to the user’s friends via Facebook Messenger,” explains PIXM in the report.
While Facebook has safeguards in place to prevent the spread of phishing URLs, the threat actors exploited a loophole to get around these safeguards.
Legitimate URL generating services including litch.me, famous.co, amaze.co, and funnel-preview.com were utilized in the phishing mails, which would be difficult to ban because legitimate apps use them.
After learning that they could gain unauthenticated access to the phishing campaign stats pages, the researchers learned that 2.7 million people visited one of the phishing portals in 2021. This number grew to 8.5 million in 2022, illustrating the campaign’s massive growth.
The researchers discovered 405 unique usernames used as campaign identifiers, each with its own Facebook phishing page, after digging deeper. The number of page views on these phishing URLs ranged from 4,000 to millions, with one reaching a staggering 6 million.
These 405 usernames, according to the researchers, are merely a small portion of the total number of accounts employed in the effort.
A second wave of redirections begins after the victim inputs their credentials on the phishing landing page, bringing them to advertising pages, survey forms, and so on.
These redirects provide referral revenue for the threat actors, which is believed to be in the millions of dollars at this scale.
Identifying the perpetrator of the threat
On all landing pages, PIXM discovered a common code snippet that contained a reference to a website that had been seized as part of an investigation against a Colombian individual named Rafael Dorado.
It’s unclear who took control of the domain and posted the message.
A reverse whois search turned up links to a real web development company in Colombia, as well as ancient websites selling Facebook “like bots” and hacking services.
The results of PIXM’s inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, despite the fact that many of the identified URLs have gone offline.
