Search This Blog

Powered by Blogger.

Blog Archive

Labels

Millions of Facebook Users' Credentials Were Stolen via Authentic App Services

PIXM discovered a common code snippet containing a reference to a website that had been seized against a Colombian individual.

 

The phishing effort used Facebook and Messenger to deceive millions of consumers into visiting advertising pages and websites where personal account information was exposed. 

The phishing campaign used messages through messenger to entice users to open the link, thus the pop-up requested for account credentials, which unsuspecting consumers provided by filling out the phishing form with their login and password. The campaign operators used the hacked accounts to send more hacker messages to their friends, earning a lot of money through internet advertising fees.

The effort peaked in April-May 2022 but has been active since at least September 2021, as per PIXM, a New York-based AI-focused cybersecurity business. Since one of the identified phishing pages included a link to a publicly accessible traffic monitoring app (whos.amung.us) without authentication, PIXM was able to track down the threat actor and map the campaign. 

Over 405 different usernames were uncovered by PIXM, each of which was linked to a distinct phishing landing page. In 2022, one username, teamsan2val, got 6.3 million views, up 128 percent from 2021. All of these usernames had a total of 399,017,673 sessions. The phishers also informed an OWASP researcher who claimed they made roughly $150 for every thousand visitors from the United States. This equates to $59.85 million in total revenue.

These 405 usernames, as per the researchers, are merely a small portion of the total number of accounts employed in the effort. The second wave of redirections begins after the victim inputs the credentials on the phishing landing page, bringing visitors to advertising pages, survey forms, and so on. These redirects provide referral revenue for the threat actors, which is believed to be in the millions of dollars at this scale. One may deduce three things about the malicious attacks going on based on these new discoveries and disclosures. These are the attacks: 
  • Software-based
  • Growing at an exponential rate 
  • Vulnerable populations are targeted

On all landing pages, PIXM discovered a common code snippet that contained a reference to a website that had been seized as part of an investigation against a Colombian individual named Rafael Dorado. It's unclear who took control of the domain and posted the message.

A reverse whois search turned up links to a real web development company in Colombia, as well as ancient websites selling Facebook "like bots" and hacking services. 

The results of PIXM's inquiry were shared with the Colombian Police and Interpol, but the campaign is still ongoing, although many of the identified URLs have been offline.
Share it:

Credential Phishing

Cyber Attacks

Facebook Ads

Phishing Attacks

URL Spoofing

User Privacy