Facebook ads Abused to Steal 615000+ Logins in Phishing Campaign

Facebook ads and Github pages seem to be the latest route opted for by cybersecurity attackers to phish for and steal credentials of Facebook users.

Researchers at Nepalese cybersecurity firm, Threat Nix, have uncovered a wide spread campaign targeted at Nepal, Philippines, Egypt and several other countries.

It is anticipated that this campaign may have already hit at least 50 countries and over 615,000 users, and a number of victims seems to be increasing at a rapid pace of 100 victims per minute.

This campaign was first discovered by the researchers when they noticed a sponsored Facebook post offering 3GB mobile data from a Nepalese telecom provider.

Once the ad was clicked on, it led to a phishing site hosted on a Github page. These pages mimicked the original page greatly and were almost impossible to tell the difference between the original and fake pages.


How does the attack work?

The phishing sites mimicked the Facebook login page and stole the unsuspecting victims’ credentials and then that would reach two endpoints, one to a Firestore database and another to a domain owned by the phishing group.

Though Facebook does a great deal to ensure such phishing pages are denied for ads, in this case, the attackers were smart and managed to find a loophole in the process. They used Bitly’s links which would point to a non-hostile page and once the ad was approved, it was modified to that of the phishing page.


Almost 500 Github repositories containing phishing pages were discovered. It is possible that similar tactics were used earlier as the earliest of these pages dates back to 5 months, and some of the repositories were deleted.

The domain is registered and hosted at GoDaddy and was registered on 3rd April 2020.Four other domains have also been identified and linked with this scam.

Threat Nix is working with the concerned authorities to track these attackers and take down the malicious phishing pages. No further details have been released yet as this an ongoing investigation.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Leave a Reply