Fraud Management & Cybercrime , Incident & Breach Response , Security Operations
The Makings of a Million-Dollar Facebook Phishing CampaignHow a Threat Actor Stole Credentials, Evaded Security Teams and Made Money Via Ads
A massive phishing campaign used stolen credentials to log into Facebook user accounts and send phishing page links leading to the victims' friends to harvest their credentials, say researchers at PIXM, a New York-based cybersecurity firm that focuses on artificial intelligence.
See Also: Secure Your Data With Next-Generation MFA | Stronger, Simpler Access Control
The campaign, which is reported to have deceived "hundreds of millions" of users of the social media platform via its instant messaging service Messenger, has been active since the fourth quarter of 2021, the researchers say.
PIXM discovered the scam when a victim attempted to visit one of the phishing links - a fake Facebook login portal - in September 2021. The report does not specify why the researchers have only now released their findings. To date, the landing page for this phishing website looks the same, the researchers say.
Impact of the Phishing Campaign
The number of phishing pages used by this campaign has increased, and the highest volumes were reported in April and May 2022, according to the researchers, who do not share the exact numbers.
The researchers say 2.7 million users visited one of the threat actor's phishing pages in 2021, and by June 2022, that number had jumped to 8.5 million. They also found 400 unique usernames that each had a separate Facebook phishing landing page used in the campaign. These phishing pages have page views ranging from 4,000 to 6 million.
"When taking an average from just 17 random usernames, we see each unique username receiving 985,228 page views so far. Some of these usernames are still being used - live stats can be viewed by navigating to whos.amung.us/stats/[username])," the researchers say.
Tracking the Threat Actor
The researchers say they found a common code snippet during their investigation of the phishing pages. This snipped Spanish phrase, translates to: "Developed by Bendercrack.com." This website domain allegedly belonged to a Colombian national and has already been seized by law enforcement authorities as part of an ongoing investigation, the researchers say.
An investigation of the website's archived copies led to the discovery of a phone number and an email ID, which the researchers say enabled them to locate the alleged threat actor's legitimate web development businesses and office locations in Colombia and several old sites of their other offerings, including Facebook-like bots, hacking services and other illicit web business, plus various aliases the alleged threat actor uses online.
These and other relevant details have been shared with the Colombian Police and Interpol, the researchers say. PIXM, the Colombian police and Interpol have not responded to ISMG's requests for additional information on whether this individual is indeed behind the attacks or if he has been charged.
Although Facebook's internal threat intelligence team has been privy to the scheme, not much could be done to stop the scam, the researchers say.
This is because the server hosting the phishing websites' database server has "always" been different from the original URL the user visits, and the victim only lands on the phishing page after a "series of redirects," the researchers say. The threat actor also uses legitimate app deployment services to craft the message he sends to the victims; Facebook would have to not only block the offending links but also other legitimate links generated by the same app deployment service, according to the researchers. They say the app deployment services used by the threat actor include glitch.me, famous.co, amaze.co and funnel-preview.com.
"While the threat actor was using my.famous.co, for example, the link to their site would simply be my.famous.co/*unique ID*. Once one of them was found and blocked, it was trivial to spin up a new link using the same service, with a new unique ID," the researchers say.
Facebook did not immediately respond to Information Security Media Group's request for additional information.
In 2021, Open Web Application Security Project researcher Mantas Sasnauskas, who was investigating this campaign, learned that the threat actor claimed to make approximately $150 for every 1,000 visits to his phishing pages from the United States.
"With an estimated total of 399,017,673, that would put this threat actor's projected revenue at nearly $59 million from Q4 2021 to present. We think it's safe to assume this threat actor is, well, probably exaggerating quite a bit, but the revenue is still likely staggering considering the size of the campaign," the PIXM researchers say.
The threat actor also made money by using a "combination of ad tracking tools on the landing pages and the redirects after a user enters their credentials on the phishing page," according to the researchers. "These pages will typically route to a malvertising or advertising page prompting additional interaction from the user, which the threat actor collects referral revenue from."