Facebook Phishing Scam Steals Millions of Credentials

Facebook Phishing ScamResearchers at PIXM have uncovered a major Facebook Messenger phishing scam that’s “potentially impacted hundreds of millions of Facebook users.” More than eight million people have visited just one of these phishing pages so far this year.

“While viewing the Yearly Views page, we see 2.7 million users visited one of their pages in 2021, and around 8.5 million so far in 2022,” the researchers write. “This represents tremendous growth in the campaign from 2021 to 2022.”

The threat actors used compromised Facebook accounts to spread the phishing pages through Facebook Messenger.

“It appeared evident that these links originated from Facebook itself,” the researchers write. “That is, a user's account would be compromised and, in a likely automated fashion, the threat actor would login to that account, and send out the link to the user's friends via Facebook Messenger. Facebook's internal threat intelligence team is privy to these credential harvesting schemes, however this group employs a technique to circumvent their URLS from being blocked. This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link. After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it's a link generated using a legitimate service that facebook could not outright block without blocking legitimate apps and links as well.”

Notably, the campaign used automation to cycle through different phishing pages, which enabled it to avoid detection by security technologies.

“Once one of [the URLs] was found and blocked, it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID,” the researchers write. “We would often observe several used in a day, per service.... The use of these services allows the threat actors' links to remain undetected and unblocked by Facebook Messenger (and by domain reputation services) for long periods of time. This approach has yielded enormous success for the threat actor.”

New-school security awareness training can enable your employees to thwart these types of phishing attacks.

PIXM has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Phishing

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews