Security researchers at the cybersecurity firm PIXM have identified a massive phishing campaign being conducted through Facebook and Messenger, which has driven millions of individuals to web pages hosting phishing forms and online adverts. According to PIXM, in just 4 months, a threat actor was able to steal more than 1 million credentials and generated significant revenue from online advertising commissions.
The account credentials harvested through the phishing forms were used to gain access to user accounts, which were used to send phishing messages to the users’ contacts using automated tools. According to the researchers, the campaign has been active since at least September 2021 and peaked in April and May this year.
According to PIXM, it was possible to trace the campaign as one of the phishing pages had a link to a traffic monitoring app, which they were able to access without authentication. The traffic monitoring app showed how effective this campaign has been, with one of the phishing URLs having 2.7 million pageviews in 2021 and 8.5 million pageviews in 2022.
In total, 405 unique usernames had been used as campaign identifiers and each had a Facebook phishing page. The number of pageviews per profile ranged from around 4,600 to more than 6.3 million; however, the researchers suspect that the 405 usernames were only a small sample of the accounts used in the campaign.
Facebook has implemented safeguards to prevent phishing URLs from being distributed through Messenger, but the threat actors behind this campaign were able to bypass those controls. Phishing URLs would normally be blocked; however, in this case, URL generation services were used such as amaze.co, funnel-preview.com, and litch.me. Since those URL generation services are used by many legitimate apps, blocking them is problematic.
When a user arrived on a phishing page, they were then taken through a host of further redirects to advertising pages, surveys, and other content. Since the actors behind this campaign earns commissions based on the number of times adverts are shown, the revenue generated from these adverts would have been considerable. PIXM suggests this campaign could have earned millions of dollars.
PIXM was able to trace this campaign based on code on all the landing pages which stated it developed by bendercrack.com. That domain displayed a message stating it was seized on January 17, 2021, and is part of an ongoing investigation, but it is unclear who seized the domain.
PIXM was able to find a phone number in archived copies of the site, and performed a reverse whois lookup to find an associated email address. That email address was associated with several other domains that appeared to have been created by a legitimate web development business in Columbia. Some of the old sites associated with the company advertised Facebook like bots, hacking services, and other illicit web business. The findings were passed on to the Columbian Police and INTERPOL. At the time of reporting, the campaign was still active.