Analysts at information security firm Trustwave have discovered a new phishing campaign that uses Facebook posts as part of its attack to trick users into giving up their account credentials and personally identifiable information.
Analysts said the emails sent to the targets pretended to be a copyright infringement issue in one of the recipient’s Facebook posts, warning that their account would be deleted within 48 hours if they did not file an appeal.
The attackers make the account deletion appeal link an actual post on Facebook, which helps them bypass email security solutions and ensure phishing messages reach the target’s inbox.
The Facebook post pretends to be a support page by using the Facebook logo to appear to be run by the company. However, this post includes a link to an external phishing site named after Meta, the company that owns Facebook; To reduce the chances that victims will discover the scam.
Trustwave analysts found the following three URLs: meta[.]forbusinessuser[.]xyz/?fbclid=123, meta[.]forbusinessuser[.]xyz/main[.]php, and meta[.]forbusinessuser[.] [xyz/checkpoint[.]php.
Analysts said the phishing sites were carefully designed to look like the actual Facebook copyright appeal page, which contained a form where victims were asked to enter their full name, email address, phone number, and username.
When providing this data, the page also collects the victim’s IP address and geolocation information and outputs everything to a Telegram account under the attackers’ control, who may collect the additional information to bypass fingerprint protection or security questions while taking over the victim’s Facebook account.
Meanwhile, the redirect takes the victim to the next phishing page, which displays a fake request for a 6-digit OTP with a timer. Whatever code the victim enters will result in an error, and if he clicks on the option “Do you need another way to authenticate?” It takes the victim to the actual Facebook site.
Trustwave’s analysts also discovered that attackers use Google Analytics on their phishing pages to help them track the efficiency of their campaigns.
Trustwave said it had found several Facebook accounts that were using fake posts to pose as support pages leading victims to phishing sites.
These posts use URL shorteners to link to phishing sites to avoid being recognized and removed by Facebook.
Victims may reach these posts via phishing emails, as in the case of the campaign presented in this report, or via instant messages received on Facebook.