Our investigation into a malicious Facebook Messenger message uncovered a large-scale phishing operation on Facebook. We also potentially identified the threat actor behind the phishing campaign and his intentions.
“Is that you” is a phishing scam circulating on Facebook in various forms since at least 2017. It begins with a Facebook message sent by one of your friends. The “friend” claims to have found a video or image with you featured in it.
The message masquerades as a video that, when clicked, leads you through a chain of websites infected with malicious scripts.
These scripts determine your location, the device you are using, and your operating system. They then lead you to a malicious Facebook phishing page in order to harvest your credentials, and, depending on your device, infect it with adware or other malware.
Close to 500,000 victims
At the time of writing this report on February 8, the number of potential victims exceeded 480,000 since the phishing campaign began on January 26, 2020, with 77% of the victims being based in Germany.
Based on the large-scale nature of the campaign and the fact that it appears to predominantly target users in Germany, we shared our report with CERT Germany, Facebook, and wal.ee (the URL shortener service used by the threat actor). We also informed the Dominican Republic’s cyber police about the incident.
That being said, it wasn’t immediately clear whether the threat actor behind the phishing operation was using the compromised Facebook accounts for any malicious purpose other than to simply spread the phishing campaign through the victims’ Messenger contacts.
Interestingly, however, the threat actor was using a legitimate third-party web statistics service to track the campaign, which helped us conduct our investigation and find out the start date of the campaign, the number of affected users, and more useful information.
Every week, thousands of social media accounts are compromised and stolen by phishers. A quality password manager will help you keep your online accounts secure.
Protect your data now
How the phishing campaign works
The campaign is initiated by sending the potential victim a message from one of their Facebook contacts. The message contains what appears to be a video link with a suggestive text that asks the victim ‘Is that you?’ in German. It seems that the message employs Facebook’s Open Graph protocol to manipulate the fake video preview to include the recipient’s name.
After clicking the malicious link, the victim is redirected to a fake Facebook phishing page.
The “legitimate” phishing page
Interestingly, the malicious script that redirects victim to the phishing page is hidden in what appears to be a compromised legitimate website.
The website appears to be legitimate. However, a malicious XML file has been injected into its code.
The file has a small script that triggers a redirect to a short URL, which then leads the victim to a malicious phishing page. Using a legitimate website to host malicious redirect scripts makes the phishing attack more effective as it can be used to bypass Facebook’s blacklists.
How we uncovered the threat actor behind the campaign
As we investigated the phishing page, we learned that it includes HTML content with Open Graph metadata and obfuscated images with Base64 encoding.
To our surprise, we found that the malicious script was signed by the author. Translated from Spanish, the author’s signature means:
The domain mentioned in the signature no longer exists. However, upon further investigation, we discovered a Facebook page that could be connected to the creator of the malicious script:
Meanwhile, the original phishing page also includes a script designed to harvest credentials entered by the victims and collect their location data:
The malicious scripts are hosted on the threat actor’s private server:
We also discovered legitimate third-party service-tracking code implanted in the phishing page.
After obtaining the identifier, we were able to access the threat actor’s dashboard to determine the scale of the campaign.
It appears that since the start of the malicious campaign, a total of more than 480,000 users have ended up clicking the phishing link. Since we had access to the threat actor’s dashboard, we were able to identify the devices and browsers predominantly used by the affected users.
We were able to identify and correlate other, potentially malicious activities that we traced to the same threat actor.
The Facebook phishing campaign is named Tamo Trabajando, which means “we’re working.”
Even though Facebook has a rigorous system of checks to stop the spread of malware and malicious links, these types of campaigns are sophisticated enough to at least temporarily bypass those measures.
It’s clear that the “Is that you” phishing campaign was targeting German residents in order to harvest their credentials. What was not immediately clear, however, is whether the mass abuse of breached Facebook accounts was perpetrated in order to do anything else besides spreading the campaign.
What could point to the threat actor’s further motives, however, is the fact that after having their credentials harvested, the victim was redirected to a malicious website that served them either adware or malware.
The threat actor’s other campaign – Blacksar Inc. – appears to be associated with additional malicious websites and malware campaigns. We have observed more Spanish words in the code, such as saliendopadentro, Desarrollado por etc.
One of the malicious Blacksar domains was registered from the Dominican Republic, which strongly suggests that the threat actor is from a Spanish-speaking country or even the Dominican Republic itself.
One interesting campaign and tracking code was LA PARITA, which tracked a particular personal Facebook profile and its visitors. That person seemed to be based in the Dominican Republic.
At this point, we have sent our report, our open-source intelligence, and all the remaining details we gathered during our analysis to the Computer Emergency Response Teams (CERTs) in Germany and the Dominican Republic.
Steps we’ve taken to mitigate the threat
- We have reported the phishing campaign with the relevant information to Facebook to help stop the spread of the campaign on the social media platform.
- We have informed the wal.ee link shortening service to disable the short URL that redirects to the malicious Facebook phishing page. At the time of publishing they have removed the malicious script from their website.
- We have sent all the relevant information and evidence from our investigation to CERT Germany since it is evident that the campaign primarily targets German citizens.
- We have sent the relevant information to Dominican CERT, as some artefacts and evidence point that the campaign was launched from there.
- We have informed the website compromised by the threat actor that it serves malicious scripts.
How to protect yourself against phishers
- Use unique and complex passwords for all of your online accounts. Password managers help you easily create strong passwords and notify you of password reuse.
- Use multi-factor authentication where possible.
- Beware of any messages sent to you, even from your contacts. Phishing attacks usually employ some type of social engineering to lure users into clicking malicious links or downloading infected files.
- Be mindful of any suspicious activity on your Facebook or other accounts.