A dangerous new phishing campaign targeting businesses that use Meta platforms for advertising has been discovered.
The scam begins with users receiving an urgent email claiming “YOUR ADS ARE TEMPORARILY SUSPENDED” due to alleged violations of Instagram’s Advertising Policies and EU regulations, including GDPR.
These messages create immediate concern for businesses that rely on social media marketing, prompting them to click on the included “Check more details” button to resolve the issue quickly.
.png
)
The fraudulent emails are designed to appear legitimate at first glance, with Instagram branding and official-sounding language about policy violations.
However, closer inspection reveals the messages come from suspicious domains like “[email protected]” rather than official Meta addresses.
The email contains threatening language about account suspension and removal of promotional content to create urgency.
.webp)
Cofense researchers identified that upon clicking the deceptive link, users are redirected to a convincing but fake Meta Business page with a URL “businesshelpmanager.com” that mimics legitimate Meta support sites.
The page warns that the account faces suspension and termination if action isn’t taken immediately.
What makes this attack particularly sophisticated is its two-pronged approach to account takeover. Users are either guided through a fake support chat experience or provided with step-by-step instructions claiming to help restore their account access.
In both cases, the end goal is the same – tricking users into adding the attacker’s authenticator app labeled “SYSTEM CHECK” as a two-factor authentication method for their Meta Business account.
.webp)
The chat support experience is especially convincing, with attackers asking for business account screenshots, explaining the supposed violations, and requesting personal information from victims.
.webp)
While all these interactions in this report appear legitimate to the unsuspecting users.
.webp)
Technical Details of the Attack
The attack culminates when victims are instructed to click an “Activate System Check” button that resets their session and prompts them to enter their Facebook password on a convincing phishing page.
.webp)
The attackers have created a highly detailed replica of Meta’s authentication system to harvest credentials.
The campaign uses multiple domain redirects and sophisticated social engineering techniques to bypass traditional security measures.
According to Cofense’s analysis, the attack infrastructure includes several IP addresses linked to the phishing domains, including 44.238.235.1 and 52.35.19.120.
To protect yourself, always verify the sender address of emails claiming to be from Meta, check URLs before entering credentials, and contact Meta directly through official channels if you suspect your advertising account has issues.
Never follow instructions to add unknown authenticator apps to your account, as this grants attackers persistent access even if you later change your password.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
