New Facebook Fake Copyright Notices Phishing Steals Your FB Credentials

A recent phishing campaign has been targeting Facebook users with fake copyright infringement notices, aiming to steal their login credentials.

This sophisticated scam has been sent to over 12,279 email addresses, primarily affecting enterprises across the EU, US, and Australia.

The campaign uses legitimate services like Salesforce to send emails, making them appear more authentic.

The phishing emails are designed to look like official notifications from Facebook, claiming that the recipient’s account has been flagged for copyright infringement under the Digital Millennium Copyright Act (DMCA).

Check Point analysts discovered that these emails often reference well-known companies like Universal Music Group as the complainant.

The messages create a sense of urgency by stating that the account may face restrictions if the issue is not resolved promptly.

Sample Email:

---

Hello,

This is your final notice regarding a copyright infringement claim filed under the Digital Millennium Copyright Act (DMCA) against your personal account. It has been reported that your recent activity might be in violation of copyright laws.

• Date of Submission: December 19, 2024
• Reported By: Universal Music Group
• Issue: Unauthorized use of copyrighted music

You must contest this claim before the end of business on December 20, 2024. If you believe this claim is mistaken or you have legal rights to the content, you need to submit an appeal immediately. Failing to act by the deadline will lead to permanent restrictions on your account.

Appeal the report

---

These emails typically include a link to “appeal” the claim, which leads to a fake Facebook support page. This page prompts users to input their login credentials, which are then captured by the cybercriminals.

Attack Chain

1. Email Service: The phishing emails are sent using Salesforce’s automated mailing service. This allows the scammers to use a legitimate email address (noreply@salesforce.com) without breaching Salesforce’s security systems.
2. Landing Page: The fake support page is designed to mimic Facebook’s actual support interface. It includes fields for users to enter their login credentials, which are then harvested by the attackers.
3. Geographic Targeting: The campaign has targeted companies across multiple languages, including English, Chinese, and Arabic, indicating a broad geographic scope.

This phishing campaign poses significant risks for businesses that rely on Facebook for advertising, customer engagement, or as a storefront.

If a Facebook admin account is compromised, cybercriminals can alter content, manipulate messaging, or delete posts.

This can lead to loss of client trust and potential legal issues, especially for businesses in regulated industries like healthcare and finance.

To avoid falling victim to this phishing threat, organizations should set up alerts for suspicious logins and unusual activity.

Educate employees to verify their account status directly on Facebook instead of clicking email links, inform customers about the proper channels for business communications, and develop an incident response plan to quickly recover compromised accounts and update customers if necessary.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free