An ongoing phishing campaign on Facebook has earned its propagators roughly $59.85 million since last year. Discovered by PIXM Security, the phishing campaign has been active since September 2021 on Facebook and Messenger but became truly successful in April this year.
AI-driven cybersecurity vendor PIXM Security recently stumbled upon a stealth phishing campaign exploiting Facebook user accounts through legitimate online services. With possible origins in Columbia, the phishers have earned tens of millions of dollars in revenue through ad referrals through the campaign.
The phishers have been harvesting user credentials from Facebook and have impacted millions of users. The New York-based cybersecurity company detailed the technical and operational aspects of this malicious campaign involving phishers avoiding detection using legitimate online services.
Like most phishing campaigns, this one relies on a fake landing page with fields to enter email/Facebook username and password.
Facebook Phishing Landing Page | Source: PIXMOpens a new window
Using credentials harvested from the fake landing page, the threat actors logged in to users’ Facebook accounts and deployed automated tools to send phishing links to their friends on the social platform.
Through this method, the phishers could quickly disseminate the fraudulent links to millions of Facebook accounts. Facebook usually curbs these campaigns when they become public. However, these phishers leveraged URL generating tools such as glitch.me, famous.co, amaze.co, funnel-preview.com, etc., to stealthily sustain the malicious operation.
“Facebook’s internal threat intelligence team is privy to these credential harvesting schemes, however this group employs a technique to circumvent their URLs from being blocked,†PIXM noted. “This technique involves the use of completely legitimate app deployment services to be the first link in the redirect chain once the user has clicked the link.â€
“After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it’s a link generated using a legitimate service that facebook could not outright block without blocking legitimate apps and links as well.â€
However, the threat actors erred when they incorporated the link to a traffic monitoring application (whos.amung.us) they were using. This allowed PIXM researchers to access the tracking metrics of the entire phishing campaign, including hundreds of landing pages the actors had developed.
Expectedly, the scale is quite massive. One of the landing pages had 2.7 million user visits in 2021 and has been visited by approximately 8.5 million users so far in 2022.
Facebook Phishing Campaign Statistics | Source: PIXM
See More: Google Chrome Trounced by Mozilla, Safari and Microsoft Edge in Blocking Phishing Sites
PIXM also discovered over 400 unique usernames, each linked to a different phishing landing page. One username, teamsan2val, had as many as 6.3 million views in 2022, up 128% from 2021.
In total, all these usernames had 399,017,673 sessions. The phishers also told an OWASP researcher that for every one thousand visits from the United States, they earned about $150. This translates to total revenue of $59.85 million.
Facebook Phishing Campaign Earnings | PIXM, OWASP
The company adds, “We estimate that the 400 usernames identified so far, and all of their unique phishing pages, only represent a fraction of this campaign.†So even if the claim by the threat actors of earning nearly $150 for every thousand visits is bogus, the fact that there are hundreds, possibly thousands of more usernames indicates that their revenue could be much more than what the cybersecurity firm calculated.
Revenue, PIXM explained, is generated through ad referrals earned by the redirected user who lands on the phishers’ landing pages. “These pages will typically route to a malvertising or advertising page prompting additional interaction from the user, which the threat actor collects referral revenue from,†PIXM wrote.
The phisher(s) remains unidentified as of now. But PIXM could track the landing pages, all of which had the same code snippet referring to a website owned by one Rafael Dorado. However, the website referred to in the code snippet (bendercrack.com) displayed the following:
Source: PIXM
PIXM also found legitimate web development businesses in Columbia featuring the same contact details associated with bendercrack.com. These businesses offered Facebook-like bots, hacking services, and other illicit web business services.
Aside from publishing its findings, PIXM has also reported the phishing campaign to law enforcement authorities, including the Colombian Police and INTERPOL.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON PHISHING AND CYBERSECURITY
- Chinese and Belarusians Join Russian Hackers in Attacks on Ukrainian and EU Agencies
- Lockbit Ransomware Gang Claims Mandiant’s Scalp in a Publicity Tit-for-Tat
- Facebook Has No Idea How User Data Is Used or Processed, Leaked Doc Reveals
- What Is Vishing? Definition, Methods, and Prevention Best Practices for 2022