Once again, Facebook ads have been misused by cybercriminals in a large-scale phishing scam to steal victims’ login credentials.
Facebook seems to find itself involved one way or another in every second phishing scam out there. In the latest, researchers from ThreatNix have discovered a phishing campaign that was being run using Facebook ads and redirecting users to Github where the actual phishing pages resided.
The users targeted span from a number of countries including Egypt, the Philippines, Pakistan, and Nepal with more than 615,000 of them being affected in totality.
The phishing campaign is executed by Facebook ads posted from pages that aim to impersonate legitimate companies in order to avoid user suspicion. For example, there was an ad that was run under “Nepal Telecom’s” name and promised users 3 GB of free internet data.
When the users clicked on the attached link, a Github page (static) was opened which was in essence a Facebook login lookalike phishing page. If the user was fooled, the credentials would be sent to the attackers through a Firestore database and a domain hosted on GoDaddy.
Similar ads were found for each country with versions of the ad copy that has been localized in order to increase the conversion rate. Commenting on the technical aspect of how this evaded Facebook’s filters, the researchers state in a blog post that:
While Facebook takes measures to make sure that such phishing pages are not approved for ads, in this case the scammers were using Bitly link’s which initially must have pointed to a benign page and once the ad was approved, was modified to point to the phishing domain.
On the other hand, this campaign seems more spread than what it looks like on the surface. We say this considering that 500 Github repositories have been found hosting phishing pages for the same campaign with some of them already inactive as well since it has been going on for 5 months:
Not for the first time in recent months
This is not the first time that hackers have used Facebook ads for malicious purposes. Just last month, it was reported that the Ragnar Locker ransomware gang was using Facebook ads to extort victims.
To conclude, currently, the researchers are investigating further and also collaborating with the relevant parties in order to fight the attackers.
For the future, we’d ask our users to just steer free from any external site that asks you to chip in your login credentials. If a 3rd party site does need to use your Facebook data, they should have a login with a Facebook option where you could clearly see the permissions they will have access to.