Facebook credentials are being stolen at an alarming clip by a large scale phishing campaign, according to anti-phishing platform Pixm.
Security researchers with the company have documented a credential harvesting campaign that has been active since late 2021, and has been highly successful in duping victims using an authentic-looking spoofed Facebook login page. The attacker makes use of links that appear to go to videos hosted on Facebook, and that ask for user Facebook credentials to display the video.
At least one million Facebook credentials stolen thus far, activity picked up in April-May
The first tip-off to the phishing campaign was the discovery of a fake Facebook login portal by a Pixm subscriber in September 2021. The same portal page continues to be used today; it closely resembles a standard login page, but asks the viewer (in red text across the top of the page) to enter their Facebook credentials to be allowed access to a video.
Via a link to a traffic monitoring application, the researchers discovered unauthenticated tracking metrics leading to hundreds of similar landing pages scattered about the web. They then discovered that the phishing campaign was growing exponentially; each new victim’s account was used to send the attack site links to that person’s friend list via Facebook Messenger.
The phishing campaign is able to get around automated Facebook security used to recognize when accounts are sending out malicious URLs to contacts. It does this with a link chain that begins with a legitimate app deployment service that then takes the target through several redirects before landing on the attack site. These services include glitch.me, famous.co, amaze.co, and funnel-preview.com; all whitelisted by Facebook as they are commonly used for legitimate purposes, and difficult to block without also crippling other traffic to legitimate apps. Facebook can block individual links once reported, but the attackers have an automated process that whips up a new link to replace the blocked one in mere minutes.
Facebook phishing campaign nearly quadruples in size from 2021 to 2022
Based on page views of these attack sites, the hackers made about 2.5 million attempts on Facebook users in 2021. This has increased to over 8.5 million attempts over a slightly longer period in 2022.
The researchers have found at least 400 Facebook usernames now passing malicious links in connection with the phishing campaign, each one ranging from several thousand to several million attempts. It is unclear exactly how much money the attackers are making from the campaign, but it is quite likely in the tens of millions of dollars generated since 2021. The money comes from legitimate ads placed on the chain of redirect pages that eventually take the victim to the attack site; one example listed by Pixm showed a Walmart ad being used.
Clues embedded in the phishing campaign’s redirect sequence point to a site called “BenderCrack.com” as being connected to the attackers. However, the site displays a notice that it was seized in January 2021, and that it formerly belonged to a Colombian national named Rafael Dorado who has been involved in traffic fraud and phishing attacks. Archived versions of the site from prior to the seizure reveal a contact phone number, which the researchers linked to various contact information that appears to belong to Dorado. It is still unclear if this person is involved in the current theft of Facebook credentials, but Pixm says that it has passed the information it gathered on to the Colombian police and INTERPOL.
There isn’t much immediate relief in sight, as the phishing campaign can continue to play “Whack A Mole” indefinitely with Facebook (and appears to be able to outpace them in generating new links). The best hope for bringing it to an end is in apprehending the perpetrator(s) and/or taking down their architecture. In the interim, users will need to protect their accounts by being extra cautious about any link that asks for Facebook credentials to gain access to a video. Enabling multi-factor authentication (MFA) will also help in preventing unauthorized account access if credentials are compromised.
As Erich Kron (security awareness advocate at KnowBe4) notes, victims of this scam are also likely not going to get very much help from Facebook if they fall for the fake login page: “Contacting a human for support at these huge social media organizations is nearly impossible, making it very difficult to have these compromised profiles shut down or returned to their rightful owner … People often underestimate the value of their social media accounts, failing to enable Multi-Factor Authentication (MFA) and otherwise protect their accounts from cybercriminals. Unfortunately, when bad actors take over an account, it is often used to attack their own friends and family … In some cases, this may be scams involving money transfers through various non-refundable services such as Cash App.”
In addition to the scale of the campaign and its rapid growth, the incident is noteworthy as a means for cyber criminals to make millions of dollars without ransomware, malware or theft of files. It does involve phishing and credential compromise, but the actual money end of the attack comes from legitimate web-based advertising. Though not yet verified, the numbers the scammers appear to be pulling down simply by stealing Facebook credentials compare favorably to what the biggest “scam as a service” outfits are making. As Chris Clements (vice president of solutions architecture at Cerberus Sentinel) observes, criminals are likely to come up with clever alternatives of this nature as the pressure on big money operations such as ransomware continues to ramp up: “It’s impressive the amount of revenue that a threat actor can generate even without resorting to ransomware or other common forms of fraud like requesting gift cards or emergency PayPal requests. With enough scale, even actions like advertising referrals that result in pennies can add up to amounts that become compelling for cybercriminals to exploit.”