A new phishing campaign aims to hijack Facebook user accounts |
Analysts at information security firm Trustwave have revealed a new phishing campaign that uses Facebook posts as part of its attacks to trick users into revealing their account credentials and personally identifiable information.
Analysts said the emails sent to the targets contained copyright infringement in the recipients' Facebook posts and warned that their accounts would be deleted within 48 hours if they did not object.
Attackers delete the account based on the link to the pleas of the actual Facebook posts, which helps them bypass email security solutions and ensure phishing emails reach their targets' inboxes.
The Facebook post appears to be run by the company, which used the Facebook logo to masquerade as a support page. However, this message contains a link to an external phishing site named after Meta, the company that owns Facebook, which reduces the chances of victims discovering the scam.
Trustwave's analysts found the following three URLs: meta[.]forbusinessuser[.]xyz/? fbclid = 123, meta[.] forbusinessuser[.] xyz/main[.] php, and meta[.] forbusinessuser[.] [xyz/checkpoint[.] php.
Analysts said the phishing sites were designed to look like the actual Facebook copyright complaint page, which included a form asking victims to enter their full name, email address, phone number and username.
While disseminating this data, the site also collects the victim's IP address and geolocation information and forwards all content to a Telegram account under the attacker's control, where the attacker can collect additional information to bypass fingerprint protection or security issues, while the victim is under control. Facebook account.
Meanwhile, the redirect leads the victim to the next phishing page, which displays a fake 6-digit OTP request with a timer. Whatever code the victim enters, it throws an error, when the "Do you want another way to verify?" option is clicked. , it takes the victim to the actual Facebook page.
Trustwave's analysts also discovered that the attackers were using Google Analytics on their phishing sites to help them track the effectiveness of their campaigns.
Trustwave said it found several Facebook accounts using fake posts to pose as support pages and direct victims to phishing sites.
The posts used URL shorteners to link to phishing sites to avoid being identified and deleted by Facebook.
Victims can access these messages through phishing emails (such as the example campaigns in this report) or through Facebook instant messaging.