New Cyber Attack Targeting Facebook Business Accounts

The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious link, as the email leverages social engineering tactics like sender name spoofing and urgency to appear legitimate. 

Grammatical errors and a suspicious link embedded in a button are giveaways of the phishing attempt. Hovering over the button reveals the true malicious URL, containing nonsensical subdomains and a likely form for stealing user information. 

Phishing email that reached a user’s inbox. 

A phishing campaign targets business accounts associated with Meta (Facebook), and the attack uses various email subjects (e.g., policy violations and account deletion) to entice recipients into clicking.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The click likely leads to a fraudulent webpage designed to harvest sensitive account information, ultimately compromising the target business account, and the email serves as the initial infection vector, followed by a series of technical steps that culminate in full account takeover. 

The landing page is the first page that users will see after interacting with the phishing URL. 

Phishing emails with links to Netlify or Vercel-hosted pages lure users to a fake account recovery process. The landing page is designed to steal Meta account information, including email, phone number, and potentially financial details.  

Following that, the phishing site gathers the user’s password and exploits a weakness in multi-factor authentication by requesting two consecutive codes, effectively bypassing MFA and compromising the account. 

Breakdown of the full phishing infection chain. 

A Cofense analyst discovered a threat actor’s infrastructure containing Vietnamese-to-English translated redirects, as these redirects link to services the actors use: Netlify for link creation, Microsoft email login for Hotmail access, and two spreadsheets. 

One spreadsheet tracks profits and costs, indicating financial motives. The other locked spreadsheet likely contains targeted countries whose exposed infrastructure suggests the actors planned further attacks after compromising business ad accounts. 

Threat actor resources, infrastructure, and tools used in this campaign. 

The website provides tools for attackers to automate phishing campaigns. One tool converts text input to a CSV file, likely for data manipulation, and another tool, “Check Links,” offers a list of active phishing URLs and can automatically check if they’re still operational. 

“TEXT emails to countries” generate phishing emails based on user-selected criteria, including target country, email theme (e.g., policy violation), and desired phishing link, which streamlines phishing attacks by automating data processing, URL verification, and email generation. 

Results from the URL input showing if active or dead. 

A cybersecurity report identified Meta as the second-most impersonated brand in credential phishing attacks during Q1 2024, where cybercriminals frequently disguise their emails as coming from Meta, likely targeting Meta business accounts. 

The prevalence of meta spoofing follows Microsoft, a well-established target due to its widely used email services. It highlights the technique of spoofing popular brands for phishing campaigns, aiming to exploit user trust and steal login credentials.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.