Thursday, February 6, 2025
HomeCyber Security NewsFacebook Infrastructure Used by Hackers in Phishing Attack Chain

Facebook Infrastructure Used by Hackers in Phishing Attack Chain

Published on

SIEM as a Service

Follow Us on Google News

A Meta-Phish attack that could lead to the loss of personally identifiable information (PII), login information, and a Facebook profile link was discovered by Trustwave SpiderLabs.

This recent phishing campaign tricks victims by using Facebook posts in its chain of attacks. The emails that were sent to the targets made it appear as though one of the recipients’ Facebook posts violated copyright, and they threatened to remove their accounts if no appeal was made within 48 hours.

https://www.trustwave.com/media/19406/picture1yu.png?v=0.0.1
Phishing email message

“The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain”, according to Trustwave.

Here the Facebook post pretends to be “Page Support,” using a Facebook logo to appear as if the company manages it.

https://www.trustwave.com/media/19407/picture2yu.png?v=0.0.1
Facebook post masqueraded as a support page

The main phishing URL, hxxps:/meta[.]forbusinessuser[.]xyz/main[.]php, which resembles Facebook’s copyright appeal page, is reached by clicking the link in the post.

https://www.trustwave.com/media/19408/picture3yu.png?v=0.0.1
Fake Facebook Copyright Appeal page

Particularly, any data that victims enter into the form after hitting the send button, along with the victim’s client IP and geolocation data will be forwarded to hackers.

Also, threat actors may gather more data to get through fingerprinting protections or security questions while gaining access to the victim’s Facebook account.

The victim is then redirected to the next phishing website, where a false 6-digit one-time password (OTP) request with a timer is displayed.

https://www.trustwave.com/media/19395/picture10yu.png?v=0.0.1
Phishing page with OTP request

Any code entered by the victim will fail, and if the “Need another way to authenticate?” button is pressed, the site will redirect to the real Facebook site.

According to Trustwave, multiple Facebook profiles have fake messages that look to be support pages and direct users to phishing websites.

Various Facebook accounts promoting the same fake alerts
Various Facebook accounts promoting the same fake alerts 

Therefore, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are urged to take extreme caution when receiving false violation alerts and to not fall for the initial links’ seeming legitimacy.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...

Flesh Stealer Malware Attacking Chrome, Firefox, and Edge Users to Steal Passwords

A newly identified malware, Flesh Stealer, is rapidly emerging as a significant cybersecurity threat...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit 3,000 ASP.NET Machine Keys to Hack IIS Web Servers Remotely

Microsoft has raised alarms about a new cyber threat involving ViewState code injection attacks...

Abyss Locker Ransomware Attacking Critical Network Devices including ESXi servers

The Abyss Locker ransomware, a relatively new but highly disruptive cyber threat, has been...

Weaponized SVG Files With Google Drive Links Attacking Gmail, Outlook & Dropbox Users

A new wave of phishing attacks is leveraging Scalable Vector Graphics (SVG) files to...