Facebook Messenger phishing attack pumps out 100K+ weekly messages

Millions of Facebook business accounts worldwide are being targeted with phishing messages, with a success rate of close to one in 70 victims infected, researchers say.

Attackers have been abusing Facebook’s Messenger platform to peddle millions of targeted phishing messages. According to cybersecurity firm Guardio, cybercrooks target highly rated marketplace sellers and, sometimes, large corporations with fake business inquiries.

For example, the fake message will start with a simple “hello” from a fake account. From the victim’s perspective, that’s just another potential customer.

The attackers’ message proceeds to inquire whether a product is still available. The only way to know which ‘product’ the fake client is talking about is to download a file.

This way, criminals try coaxing victims into downloading an RAR or ZIP archive containing a downloader for a Python-based infostealer. Attackers bypass automated scanners by encoding the content.

Legitimate business accounts are a lucrative target for threat actors. Stolen credentials can be quickly sold on forums for criminals who use them to peddle fake ads, malware, and scams.

Guardio researchers claim that while the attack method here is far from novel, the scale of the campaign is worrying. In only 30 days, attackers managed to target a staggering 7% of all Facebook business accounts, with one out of 250 victims downloading the malicious file.

The overall success rate for the campaign appears even higher, with Guardio claiming one in 70 targets have been infected in what it described as a staggering “success rate” for the criminal undertaking.

The precise reason for the discrepancy between these two sets of figures was not made clear by researchers.

“The threat actors hold an army of bots and fake Facebook accounts as well as a listing of millions of business accounts, pages, and managers – sending over 100k phishing messages a week to Facebook users around the world,” researchers claim.

By following the breadcrumbs left by the perpetrators, Guardio’s team deduced that the threat actors likely come from Vietnam: some of the commands are in Vietnamese and there are signs of the Coc Coc browser, popular in the South-east Asian nation.

Telegram/Discord API tokens left by attacker bots led researchers to a Telegram account named “MrTonyName,” which they believe to be one of those behind the attack.