Harvesting Facebook user credentials likely impacted hundreds of millions of social network users worldwide.
Cyber crooks are well aware of the laws of economics. Even something as simple as a fake Facebook login page can generate revenues reaching tens of millions of dollars, recent research from cybersecurity firm Pixm shows.
Building on earlier work from Cybernews’ Senior Information Security Researcher Mantas Sasnauskas, the Pixm team uncovered an ongoing large-scale phishing campaign.
Even though the campaign has been running since late 2021, scammers might have had enough time to steal the credentials of hundreds of millions of Facebook users.
Just one landing page, out of 400 researchers have discovered, got 2.7 million visitors in 2021 and a whopping 8.5 million in a few months of 2022. According to Pixm, close to 400 million sessions were observed, with the number steadily rising. Worryingly, 400 landing pages the team has discovered likely represent only a fraction of the total scope of the campaign.
The campaign itself is utterly simple. Facebook users receive a link via DM from a compromised account. Once victims click on the link, they are redirected to a fake Facebook login page via a maze of malvertizing sites. Ultimately, the victim ends up on an advert landing page, a source of revenue for fraudsters, with their Facebook credentials likely stolen.
While Facebook has safeguards to prevent phishing campaigns, the one Pixm researchers discussed employed a technique to circumvent their URLs from being blocked.
“This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link. After the user has clicked, they will be redirected to the actual phishing page,” claim the researchers.
However, from Facebook’s point of view, the link is legitimate since it redirects the users to a legitimate service like glitch.me, famous.co, and amaze.co that Facebook cannot block without blocking legitimate apps and links as well.
Since Sasnauskas had direct contact with one of the attackers and found attackers make around $150 for every thousand visits from the US, Pixm researchers could estimate how much money scammers might obtain with the phishing scam.
With an estimated total of close to 400 million visits, the scam might have netted fraudsters a whopping $59 million since the end of 2021.
According to the Pixm researchers, scammers generate money from a combination of ad tracking tools on the landing pages and redirects after users enter their credentials on the phishing page. Scammers also collect referral revenue from pages that route to a malvertising page prompting additional interaction from the user.
As was the case with the Cybernews research, the Pixm team has uncovered the identity of people behind the scam and passed information to Colombian police and the INTERPOL.
More from Cybernews:
Subscribe to our newsletter