As phishing attacks continue to be a go-to for threat actors, one scam found that a user had stolen a million Facebook account credentials over a span of just four months. Anti-phishing company PIXM found that a fake login portal for Facebook was being used as a stand-in for the social network site’s landing page, and that users were entering their account information in an attempt to log in to the site only to have their information stolen.
“It’s impressive the amount of revenue that a threat actor can generate even without resorting to ransomware or other common forms of fraud like requesting gift cards or emergency PayPal requests,” said Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel. “With enough scale, even actions like advertising referrals that result in pennies can add up to amounts that become compelling for cybercriminals to exploit.”
The phishing tactics used to steal Facebook credentials
When PIXM took a further look into the fake landing page, it found “a reference to the actual server which is hosting the database server to collect users’ entered credentials”, which had been modified from that of the legitimate URL, and led to a series of redirects. Also within the code, PIXM discovered a link to a traffic monitoring application, which allowed the anti-phishing company to view the tracking metrics. This led to PIXM uncovering not only the traffic information from the cybercriminals page, but also a host of other fake landing pages as well.
“People often underestimate the value of their social media accounts, failing to enable MFA and otherwise protect their accounts from cybercriminals. Unfortunately, when bad actors take over an account, it is often used to attack their own friends and family,” said Erich Kron, security awareness advocate at KnowBe4. “Through the use of a real account that has been compromised, bad actors will use the trust inherent in a known connection to trick people into taking actions or risks they normally would not.”
The links were later found to be originating from Facebook itself, as threat actors would gain access to a victim’s account, then send harmful links en masse to the victim’s friend group to cultivate more account credentials. Using services like glitch.me, famous.co, amaze.co and funnel-preview.com, the websites would deploy and generate URLs of the fake Facebook landing page, thus tricking individuals into entering and having their account information stolen.
After further investigation the attacks appeared to be originating from a threat actor in Colombia, along with the email address of the person carrying out the attacks.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Ways to avoid falling victim to Facebook phishing
A major way to circumvent these attacks is by not clicking on links that seem phony or illegitimate, even if they seem to be coming from a friend or trusted source. Although someone close to you may send you a link, it does not necessarily mean it is coming from the actual person’s account, as evidenced by the large scale phishing attacks illustrated above.
“To remain safe, people should be aware of the type of fraud campaigns that cybercriminals are conducting and stay on guard,” Clements said. “Any unusual requests from social media contacts should be independently verified through a different means such as calling your friend to validate the action they requested was legitimate.”
One method for avoiding having your account compromised is by using MFA, which would require a code or string of numbers to be entered before someone could access your particular account. This can deter cybercriminals by not having all of the information needed to log in to a compromised account.
“To protect themselves against the threat, individuals should enable MFA on their accounts and should use unique and strong passwords for each account,” Kron said. “Individuals should always be cautious of unusual requests, posts or messages, even if sent by a trusted friend. If ever asked to verify themselves, people should ensure they look at the URL bar in the browser to ensure they are logging into the real website and not a lookalike.”