A phishing campaign that began near the end of 2021 has been highly successful at nabbing Facebook credentials, racking up over a million just in the last four months. The campaign tricks victims with an authentic-looking link to a video hosted on Facebook, prompting them for their site username and password to access it.
Phishing campaign grows exponentially, experiences high rate of success
As phishing campaigns go, this particular scheme is doing very well for itself. It’s experiencing a relatively high rate of success with security researchers tracking about 8.5 million attempts on Facebook users this year, added to about 2.5 million attempts to snatch Facebook credentials in 2021.
Unlike some phishing campaigns, the attackers do not necessarily need to compromise the victim to make a profit. The supposed link to a Facebook video actually takes the target on a journey of several redirects before landing on the attack site, and those redirects are sprinkled with legitimate ads meant to make money for the attacker. Should the victim enter their Facebook credentials at the fake login page, all of their contacts on the site will have a similar link sent to them. The chain of profit is thus growing exponentially, though security researchers say only about 400 Facebook usernames are originating the malicious links.
It is unclear who is behind the phishing campaign, but security researchers have found clues in these redirect chains that point to a Colombian spammer and hacker who has been involved in prior fraud campaigns. Getting to the people behind the campaign and their infrastructure is important as it cleverly makes use of legitimate link shortening services that are whitelisted by Facebook to constantly generate new attack links, such that Facebook cannot simply block the source of the links. In the interim, the scammers are estimated to be making millions of dollars off of the theft of Facebook credentials.
Facebook credentials stolen at an alarming rate in recent months
The phishing campaign began in September 2021 and has not changed since, redirecting targets to the same authentic-looking login page that asks for Facebook credentials. The actual shortened link that enters people into the redirect chain and the URL of the attack site are the only things that change over time. There are reportedly hundreds of these fake login pages floating around the internet at this point, with the criminals generating new ones as old links get shut down or blocked by Facebook.
Facebook users should be wary of links that purport to go to videos that are from a URL shortening service (glitch.me, famous.co, amaze.co, and funnel-preview.com were all mentioned by the security researchers as being used by the attackers). This caution should extend even to their known Facebook Messenger contacts, particularly if they send a seemingly random video out of nowhere. Another sign that the link is bogus is if it redirects to sites other than Facebook; these sites will likely contain advertisements from legitimate companies.