Facebook app on mobile phone showing Facebook posts phishing campaign bypassing email security

Phishing Campaign Leverages Facebook Posts to Bypass Email Security

Researchers have discovered a new phishing campaign leveraging Facebook posts to bypass email security checks, collect users’ information, and take over accounts.

Dubbed Meta-Phish, attackers send fake copyright infringement notices warning Facebook users that their accounts would be deleted within 48 hours unless they appeal the decision.

TrustWave SpiderLabs researchers identified several Facebook pages, accounts, and external domains, involved in the phishing campaign.

Phishing campaign leverages Facebook posts and shortened URLs to bypass email security checks

According to the researchers, the appeal URL links to an actual Facebook post, allowing the threat actor to evade email security checks and deliver phishing messages to users’ inboxes.

Threat actors also created a fake “Page Support” page with a Facebook logo and a convincing copyright violation message to trick users further. These fake pages can easily be found on Facebook by searching “appeal form.”

However, the post includes a link to an external phishing site on a spoofed domain resembling Facebook’s parent company Meta such as hxxps://meta[.]forbusinessuser[.]xyz. Additionally, the fake appeal page mimics Facebook’s copyright appeal page and requests personal information, which is stolen immediately upon clicking the send button.

According to the researchers, the attackers target Facebook account credentials and personally identifiable information such as full name, phone number, Facebook name, and username. The phishing campaign also collected IP address and geolocation information and sends it to a Telegram channel using a Telegram bot API over HTTPS. Attackers use the ipinfo.io geolocation services to map users’ IPs to a geographical region.

To complete the attack chain, the attackers redirect the victim to a timed fake One Time Password (OTP) check page, with every code the user enters resulting in an error. However, the page also provides a “Need another way to Authenticate?” link. Clicking on the link opens a page with instructions to retrieve user-generated recovery codes and a “Get Code” button redirecting the victim to a legitimate Facebook login page.

According to the researchers, the phishing campaign uses newly registered domains, free web hosting sites, and URL shorteners to evade email security features and removal by the social media platform. To circumvent email security checks altogether, threat actors could also deliver phishing Facebook posts via the social media’s instant messaging feature.

The researchers also observed the threat actor using Google Tag codes to track the performance of the phishing campaign. They used VirusTotal to check the codes and identified several domains linked to the Facebook phishing campaign. However, they did not explain the scope of the phishing campaign or how the attackers obtained users’ email addresses. Nevertheless, they identified several accounts with Facebook posts alleging copyright violations and multiple fake Facebook appeal pages.

A quick search on the social media platform also returns several public Facebook posts of users complaining about receiving copyright violation notices and others being hacked.

Using fear to trick users into clicking phishing links

According to James McQuiggan, a security awareness advocate at KnowBe4, fear is a powerful tool for tricking users into clicking on phishing links or downloading malicious attachments.

“In this case, they fear losing their Facebook account because of a bogus copyright issue. Users want to always not trust and verify emails by using this as a trigger to log into the social media platform for their link.”

McQuiggan explained that an authentic copyright violation notification would include an alert on the user’s profile.

Since email security features might fail to capture every phishing link, he advised users to rely on something other than links in an email and visit the actual app or website to confirm the source’s legitimacy.

Researchers have discovered a new #phishing campaign leveraging Facebook posts to bypass #emailsecurity and steal users' account credentials and personal information. #cybersecurity #respectdataClick to Tweet

TrustWave researchers warned users to be vigilant when responding to alleged copyright violation notifications to avoid falling victim to phishing attacks.

“This recent attack is very similar to a December 2020 phishing campaign that tricked users into giving scammers their account credentials for fear that their accounts would be disabled,” said Tonia Dudley, CISO at Cofense. “In this case, scammers alerted users to a copyright infringement issue and linked them to an external “support” site named after Meta to reduce suspicion.”