Last week, we uncovered a phishing campaign on Facebook that tricked nearly 450,000 users in Germany since its launch on January 26. A week later, it seems that the threat actor is trying to cast his net even wider.
Our continued investigation into the “Is that you” Facebook phishing campaign shows that its mastermind did not abandon the operation, with more than 20,000 additional victims tricked since the new campaign began on February 11. It appears that the campaign is now also targeting British users, as about 75% of the new victims are based in the United Kingdom.
Based on the large-scale nature of this new phishing campaign and the fact that it appears to predominantly target users in the United Kingdom, we shared our report with CERT UK, Facebook, and wal.ee (the URL shortener service used by the threat actor), as well as the Dominican Republic’s cyber police.
As with the previous campaign that targeted mostly German users, the threat actor is using a legitimate third-party web statistics service to track the progress of the new phishing campaign in the UK. Once again, this helped us continue our investigation and find out the campaign’s start date, the number of affected users, and other useful information.
It appears that the threat actor is using identical tactics: sending a private Facebook message to unsuspecting users, claiming to have found a video or image with the victim featured in it. The message then leads the user through a chain of websites that have been infected with malicious scripts that harvest the victim’s credentials, and, depending on their device, infect it with adware or other malware.
The malicious scripts are hosted on the threat actor’s private server:
We also discovered a legitimate third-party service-tracking code implanted in the phishing page which, again, points towards the same tactics used by the threat actor in order to observe how many users click on the phishing link.
A new tracking code for a new phishing campaign
This time, however, the code has been changed: it now includes a different tracking code and a different campaign name.
After obtaining the identifier, we were once again able to access the threat actor’s dashboard in order to determine the scale of the campaign.
It appears that since the start of the malicious campaign, a total of more than 20,000 users have ended up clicking the phishing link. Since we had access to the threat actor’s dashboard, we were able to identify the devices and browsers predominantly used by the affected users.
As we can see, the campaign began on February 11, with 20,000 users targeted during the first 24 hours.
New domains used for other scam campaigns
During our continued investigation into the threat actors campaign, we also managed to correlate the following domains used for different phishing or scam campaigns.
An Online Threat Alerts report mentions that berafle.xyz, one of the websites in the above list, uses similar tactics to phish victims’ credentials.
The attacker’s motives
Even though Facebook has a rigorous system of checks to stop the spread of malware and malicious links, these types of campaigns are sophisticated enough to at least temporarily bypass those measures.
It’s clear that last week’s “Is that you” phishing campaign was targeting German residents (and now people in the UK) in order to harvest their credentials. What was not immediately clear, though, was whether the mass abuse of affected Facebook accounts was carried out in order to do anything else besides spreading the campaign. For example, Facebook credentials that have been stolen from users in the United Kingdom are a valuable resource in fraudster communities, as they are being used in other types of Facebook scam campaigns as well.
What could point to the threat actor’s further motives, however, is the fact that after having their credentials harvested, the victim was redirected to a malicious website that served them either adware or malware.
We found a redirection script in the threat actors server that redirects to a website with a unique referral code.
It appears to be an affiliate ad network that pays out money to the threat actor for each user that has been brought there and served malicious ads.
While the website does not appear to be active, the Google cache archive shows that it is actually AdsLeading, and it is based in the Dominican Republic.
After we published our initial article about the Facebook phishing campaign, The Bender Crack Pro account on Facebook has been disabled. However, we have received a tip about the author of the campaign from Aidan Raney, who did some digging and was investigating this scam. He sent us a chat with the scammer about how much he earns from steering users to malicious advertisement services.
If this is true, then the scammer could have earned at least $75.000 from both of these campaigns.
Steps we’ve taken to mitigate the threat
- We have reported the phishing campaign by giving relevant information to Facebook in order to help stop the spread of the campaign on the platform.
- We have informed the wal.ee link shortening service and asked them to disable the short URL that redirects to the malicious Facebook phishing page. At the time of publishing, they have removed the malicious script from their website.
- We have sent all the relevant information and evidence from our investigation to CERT United Kingdom since it is evident that the campaign primarily targets UK residents.
- We have sent the relevant information to Dominican CERT, as some artefacts and evidence point that the campaign was launched from there.
- We have informed the breached website that serves the malicious scripts.
How to protect yourself against phishers
- Use unique and complex passwords for all of your online accounts. Password managers help you generate strong passwords and notify you when you reuse old passwords.
- Use multi-factor authentication (MFA) where possible.
- Beware of any messages sent to you, even from your Facebook contacts. Phishing attacks will usually employ some type of social engineering to lure you into clicking malicious links or downloading infected files.
- Watch out for any suspicious activity on your Facebook or other online accounts.