Cyber Attack

New Cyber Attack Targeting Facebook Business Accounts

The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious link, as the email leverages social engineering tactics like sender name spoofing and urgency to appear legitimate. 

Grammatical errors and a suspicious link embedded in a button are giveaways of the phishing attempt. Hovering over the button reveals the true malicious URL, containing nonsensical subdomains and a likely form for stealing user information. 

Phishing email that reached a user’s inbox.

A phishing campaign targets business accounts associated with Meta (Facebook), and the attack uses various email subjects (e.g., policy violations and account deletion) to entice recipients into clicking.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The click likely leads to a fraudulent webpage designed to harvest sensitive account information, ultimately compromising the target business account, and the email serves as the initial infection vector, followed by a series of technical steps that culminate in full account takeover. 

The landing page is the first page that users will see after interacting with the phishing URL.

Phishing emails with links to Netlify or Vercel-hosted pages lure users to a fake account recovery process. The landing page is designed to steal Meta account information, including email, phone number, and potentially financial details.  

Following that, the phishing site gathers the user’s password and exploits a weakness in multi-factor authentication by requesting two consecutive codes, effectively bypassing MFA and compromising the account. 

Breakdown of the full phishing infection chain.

A Cofense analyst discovered a threat actor’s infrastructure containing Vietnamese-to-English translated redirects, as these redirects link to services the actors use: Netlify for link creation, Microsoft email login for Hotmail access, and two spreadsheets. 

One spreadsheet tracks profits and costs, indicating financial motives. The other locked spreadsheet likely contains targeted countries whose exposed infrastructure suggests the actors planned further attacks after compromising business ad accounts. 

Threat actor resources, infrastructure, and tools used in this campaign.

The website provides tools for attackers to automate phishing campaigns. One tool converts text input to a CSV file, likely for data manipulation, and another tool, “Check Links,” offers a list of active phishing URLs and can automatically check if they’re still operational. 

“TEXT emails to countries” generate phishing emails based on user-selected criteria, including target country, email theme (e.g., policy violation), and desired phishing link, which streamlines phishing attacks by automating data processing, URL verification, and email generation. 

Results from the URL input showing if active or dead.

A cybersecurity report identified Meta as the second-most impersonated brand in credential phishing attacks during Q1 2024, where cybercriminals frequently disguise their emails as coming from Meta, likely targeting Meta business accounts. 

The prevalence of meta spoofing follows Microsoft, a well-established target due to its widely used email services. It highlights the technique of spoofing popular brands for phishing campaigns, aiming to exploit user trust and steal login credentials.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Sujatha

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

31 mins ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

36 mins ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

3 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

5 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

9 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

22 hours ago