This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipients’ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.
“The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain”, according to Trustwave.
Here the Facebook post pretends to be “Page Support,” using a Facebook logo to appear as if the company manages it.
The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebook’s copyright appeal page, is reached by clicking the link in the post.
Particularly, any data that victims enter into the form after hitting the send button, along with the victim’s client IP and geolocation data will be forwarded to hackers.
Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victim’s Facebook account.
The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.
Any code entered by the victim will fail, and if the “Need another way to authenticate?” button is pressed, the site will redirect to the real Facebook site.
According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.
Therefore, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial links’ seeming legitimacy.
The Totally Awesome Phish Trivia Book: Uncover The History & Facts Every Phish Head Should Know!
InfoSecBooks | Tools | Services